remove most features

The Renovate config in this repository needs migrating. Typically this
is because one or more configuration options you are using have been
renamed.

You don't need to merge this PR right away, because Renovate will
continue to migrate these fields internally each time it runs. But later
some of these fields may be fully deprecated and the migrations removed.
So it's a good idea to merge this migration PR soon.



#### [PLEASE
NOTE](https://docs.renovatebot.com/configuration-options#configmigration):
JSON5 config file migrated! All comments & trailing commas were removed.

🔕 **Ignore**: Close this PR and you won't be reminded about config
migration again, but one day your current config may no longer be valid.

❓ Got questions? Does something look wrong to you? Please don't hesitate
to [request help
here](https://redirect.github.com/renovatebot/renovate/discussions).


---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>

.github/workflows/main.yml

@@ -27,9 +27,9 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v5
         with:
           node-version: "${{ env.NODE_VERSION }}"
           registry-url: "${{ env.NODE_REGISTRY }}"
@@ -55,10 +55,12 @@ jobs:
 
       - name: Install dependencies
         run: pnpm install
+        working-directory: images/operator
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Run tests
+        working-directory: images/operator
         run: pnpm test
 
   update-release-draft:
@@ -71,11 +73,23 @@ jobs:
     environment: release
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - id: create-release
+        uses: release-drafter/release-drafter@v6
         with:
           config-name: release-drafter-config.yml
           publish: true
-          assets: |
-            operator.yaml
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/checkout@v5
+
+      - name: Upload Release Asset
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create-release.outputs.upload_url }}
+          asset_path: ./operator.yaml
+          asset_name: operator.yaml
+          asset_content_type: application/yaml

.github/workflows/publish-backup-tag.yml

@@ -0,0 +1,65 @@
+name: Publish tag
+
+on:
+  push:
+    branches:
+      - "main"
+    tags:
+      - "v*"
+
+env:
+  environment: test
+  release_channel: latest
+  DO_NOT_TRACK: "1"
+  NODE_VERSION: "23.x"
+  DOCKER_REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}-backup
+  PNPM_VERSION: 10.6.0
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  release:
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+      pages: write
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@5b7b28b1cc417bbd34cd8c225a957c9ce9adf7f2
+        with:
+          registry: ${{ env.DOCKER_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@032a4b3bda1b716928481836ac5bfe36e1feaad6
+        with:
+          images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@cb8fc7586f9ad9441b20c33e0f6e8b1b58d8b4c6
+        with:
+          context: ./images/backup
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/publish-tag.yml

@@ -3,7 +3,7 @@ name: Publish tag
 on:
   push:
     branches:
-      - 'main'
+      - "main"
     tags:
       - "v*"
 
@@ -31,12 +31,12 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
       - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        uses: docker/login-action@5b7b28b1cc417bbd34cd8c225a957c9ce9adf7f2
         with:
           registry: ${{ env.DOCKER_REGISTRY }}
           username: ${{ github.actor }}
@@ -44,21 +44,21 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        uses: docker/metadata-action@032a4b3bda1b716928481836ac5bfe36e1feaad6
         with:
           images: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}
 
       - name: Build and push Docker image
         id: push
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        uses: docker/build-push-action@cb8fc7586f9ad9441b20c33e0f6e8b1b58d8b4c6
         with:
-          context: .
+          context: ./images/operator
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@v3
         with:
           subject-name: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME}}
           subject-digest: ${{ steps.push.outputs.digest }}

.github/workflows/renovate.yml

@@ -0,0 +1,16 @@
+name: Renovate
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 */6 * * *"
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v43.0.13
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          configurationFile: ./renovate.json5

.gitignore

@@ -1,36 +1,4 @@
-# dependencies (bun install)
-node_modules
-
-# output
-out
-dist
-*.tgz
-
-# code coverage
-coverage
-*.lcov
-
-# logs
-logs
-_.log
-report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
-
-# dotenv environment variable files
-.env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
-
-# caches
-.eslintcache
-.cache
-*.tsbuildinfo
-
-# IntelliJ based IDEs
-.idea
-
-# Finder (MacOS) folder config
-.DS_Store
-
+/secret.*.yaml
 /data/
+/.envrc
+*.DS_Store

Dockerfile

@@ -1,6 +0,0 @@
-FROM node:23-alpine
-RUN corepack enable
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --frozen-lockfile --prod
-COPY . .
-CMD ["node", "src/index.ts"]

Makefile

@@ -4,7 +4,7 @@ dev-destroy:
 	colima delete -f
 
 dev-recreate: dev-destroy
-	colima start --network-address --kubernetes -m 8 --k3s-arg="--disable=helm-controller,local-storage,traefik" # --mount ${PWD}/data:/data:w 
+	colima start --network-address --kubernetes -m 8 --k3s-arg="--disable helm-controller,local-storage,traefik --docker" # --mount ${PWD}/data:/data:w 
 	flux install --components="source-controller,helm-controller"
 
 setup-flux:

README.md

@@ -1,6 +0,0 @@
-## Bootstrap repo
-
-```
-brew install fluxcd/tap/flux
-make setup-server
-```

TODO.md

@@ -1 +0,0 @@
-- Fix issue with incompatible spec breaking the server

cert-issuer.yaml

@@ -1,19 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: alice@alice.com
-    privateKeySecretRef:
-      name: letsencrypt-prod-account-key
-    solvers:
-      - dns01:
-          cloudflare:
-            email: alice@alice.com
-            apiTokenSecretRef:
-              name: cloudflare-api-token
-              key: api-token

charts/operator/templates/clusterrole.yaml

@@ -6,6 +6,9 @@ rules:
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["create", "get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "watch", "create", "update", "patch"]
 - apiGroups: [""]
   resources: ["persistentvolumes"]
   verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
@@ -23,7 +26,7 @@ rules:
   verbs: ["get", "list", "watch"]
 - apiGroups: ["*"]
   resources: ["*"]
-  verbs: ["get", "watch", "list", "patch"]
+  verbs: ["get", "watch", "list", "patch", "create", "update", "replace"]
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
-  verbs: ["get", "create", "replace"]
+  verbs: ["get", "create", "update", "replace", "patch"]

charts/operator/templates/clusterrolebinding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "homelab-operator.fullname" . }}
+  name: '{{ include "homelab-operator.fullname" . }}'
 subjects:
-- kind: ServiceAccount
-  name: {{ include "homelab-operator.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  - kind: ServiceAccount
+    name: '{{ include "homelab-operator.serviceAccountName" . }}'
+    namespace: "{{ .Release.Namespace }}"
 roleRef:
   kind: ClusterRole
-  name: {{ include "homelab-operator.fullname" . }}
+  name: '{{ include "homelab-operator.fullname" . }}'
   apiGroup: rbac.authorization.k8s.io

charts/operator/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "homelab-operator.fullname" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "homelab-operator.labels" . | nindent 4 }}
 spec:

charts/operator/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "homelab-operator.serviceAccountName" . }}
+  namespace: "{{ .Release.Namespace }}"
   labels:
     {{- include "homelab-operator.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

charts/operator/values.yaml

@@ -4,13 +4,13 @@
 
 image:
   repository: ghcr.io/morten-olsen/homelab-operator
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: main
+  tag: main@sha256:df20d7e4f48bd886cef63ab882de9c6df76b0b297724d1cdf3a79aba8de6f896
 
 imagePullSecrets: []
-nameOverride: ''
-fullnameOverride: ''
+nameOverride: ""
+fullnameOverride: ""
 
 storage:
   path: /data/volumes
@@ -25,7 +25,7 @@ serviceAccount:
   annotations: {}
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: ''
+  name: ""
 
 podAnnotations: {}
 

cloudflare.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare
+  namespace: homelab
+data:
+  token: WDhqQ1Z2WGtHUVh4XzIzb0d2WmNUcWZkWm8zZGpsMXE0dGIxU0J3Zg==
+  account: ZThkZDYwMDQ5MTI2NDM3MDhhNGZlMDI4YjNkNWEzMzM=
+  tunnelName: aG9tZWxhYg==
+  tunnelId: YTI1ZTI1MDEtNzNiNi00MDc1LWI3MjYtZDc1YWViZmE4ZmNk
+  secret: UWgvRWtGNkY2MUNxSnFwMGlCQXJ3MUxyd245ZldtcTd1RDNrZk1VUEVBVT0=
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: lets-encrypt-prod
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: alice@alice.com
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            email: alice@alice.com
+            apiTokenSecretRef:
+              name: cloudflare
+              key: token

docker-compose.dev.yaml

@@ -1,12 +0,0 @@
-name: homelab
-services:
-  postgres:
-    image: postgres:17
-    ports:
-      - 5432:5432
-    environment:
-      POSTGRES_USER: $POSTGRES_USER
-      POSTGRES_PASSWORD: $POSTGRES_PASSWORD
-      POSTGRES_DB: ${POSTGRES_DB:-postgres}
-    volumes:
-      - $PWD/.data/local/postgres:/var/lib/postgresql/data

docs/monitoring.md

@@ -0,0 +1,476 @@
+# Home Kubernetes Cluster Setup: Monitoring & Security Quickstart
+
+This guide provides a practical, lightweight setup for monitoring and security on your home Kubernetes cluster. It uses Helm for easy installation and focuses on essential features with minimal complexity.
+
+## Overview
+
+This setup includes:
+
+*   **Monitoring:** Prometheus + node-exporter + kube-state-metrics + Grafana (via the `kube-prometheus-stack` Helm chart).
+*   **Image Scanning & Supply-Chain:** Trivy (Trivy Operator) for automated in-cluster image vulnerability scanning.
+*   **Policy / Admission Control / Pod Security:** Kyverno for policy enforcement and Kubernetes Pod Security Admission (PSA) for baseline security.
+*   **Runtime Security / IDS:** Falco to detect suspicious syscalls and pod activity.
+*   **Network Segmentation:** Calico (or Cilium) CNI with basic NetworkPolicy configuration.
+*   **Ad-Hoc Checks:**  kube-bench (CIS benchmarks), kube-linter/kube-score (static analysis), and kube-hunter (penetration testing).
+
+## Prerequisites
+
+*   A functional Kubernetes cluster (managed or self-hosted).
+*   `kubectl` installed and configured to connect to your cluster.
+*   Helm v3 installed.
+
+## Installation
+
+These instructions assume you have `kubectl` and Helm set up and authenticated to your cluster.
+
+### 1. Monitoring (Prometheus + Grafana)
+
+*   Add the Prometheus community Helm repository:
+
+    ```bash
+    helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+    helm repo update
+    ```
+
+*   Create the `monitoring` namespace and install the `kube-prometheus-stack` chart:
+
+    ```bash
+    kubectl create ns monitoring
+    helm install kube-prometheus prometheus-community/kube-prometheus-stack --namespace monitoring
+    ```
+
+    *Optional*: Customize the installation by creating a `values.yaml` file to configure persistence, resource limits, and scrape intervals.  See *Configuration* below for a potential `values.yaml` you can adapt.
+
+*   Access Grafana:
+
+    ```bash
+    kubectl -n monitoring port-forward svc/kube-prometheus-grafana 3000:80
+    ```
+
+    Open `http://localhost:3000` in your browser. The default `admin` user password can be found in the chart's secrets (check the Helm chart documentation).
+
+    This provides node-exporter, kube-state-metrics, a Prometheus server, Alertmanager, and pre-built dashboards for your cluster.
+
+### 2. Image Scanning (Trivy Operator)
+
+*   Add the Aqua Security Helm repository:
+
+    ```bash
+    helm repo add aqua https://aquasecurity.github.io/helm-charts
+    helm repo update
+    ```
+
+*   Create the `trivy-system` namespace and install the `trivy-operator` chart:
+
+    ```bash
+    kubectl create ns trivy-system
+    helm install trivy-operator aqua/trivy-operator --namespace trivy-system
+    ```
+
+    Trivy Operator creates `VulnerabilityReport` and `ConfigAuditReport` CRDs.  It scans images running in the cluster for vulnerabilities.
+
+### 3. Policy Admission (Kyverno)
+
+*   Create the `kyverno` namespace and install Kyverno:
+
+    ```bash
+    kubectl create ns kyverno
+    kubectl apply -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
+    ```
+
+*   Apply the example `ClusterPolicy` to deny privileged containers and hostPath mounts:
+
+    ```yaml
+    apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    metadata:
+      name: deny-privileged-and-hostpath
+    spec:
+      rules:
+      - name: deny-privileged
+        match:
+          resources:
+            kinds: ["Pod","PodTemplate","CronJob","Job","Deployment","StatefulSet"]
+        validate:
+          message: "Privileged containers are not allowed"
+          deny:
+            conditions:
+            - key: "{{ request.object.spec.containers[].securityContext.privileged }}"
+              operator: Equals
+              value: true
+      - name: deny-hostpath
+        match:
+          resources:
+            kinds: ["Pod","PodTemplate","Deployment","StatefulSet"]
+        validate:
+          message: "hostPath volumes are not allowed"
+          pattern:
+            spec:
+              volumes:
+              - "*":
+                  hostPath: null
+    ```
+
+    Save the above as `kyverno-policy.yaml` and apply it:
+
+    ```bash
+    kubectl apply -f kyverno-policy.yaml
+    ```
+
+    Adapt the `match` section to target specific workload types.  See *Example Kyverno Policy* below.
+
+### 4. Pod Security Admission (PSA)
+
+*   Apply the `baseline` Pod Security Standard to the `default` namespace:
+
+    ```bash
+    kubectl label ns default pod-security.kubernetes.io/enforce=baseline
+    ```
+
+*   For a stricter security posture, use the `restricted` profile:
+
+    ```bash
+    kubectl label ns default pod-security.kubernetes.io/enforce=restricted
+    ```
+
+    PSA provides controls like preventing privileged containers and restricting host networking.
+
+### 5. Runtime Detection (Falco)
+
+*   Add the Falco Helm repository:
+
+    ```bash
+    helm repo add falcosecurity https://falcosecurity.github.io/charts
+    helm repo update
+    ```
+
+*   Create the `falco` namespace and install the `falco` chart:
+
+    ```bash
+    kubectl create ns falco
+    helm install falco falcosecurity/falco --namespace falco
+    ```
+
+    Falco detects suspicious container behavior and system calls.
+
+### 6. Network Policy & CNI
+
+*   If you haven't already, install a CNI that supports NetworkPolicy, such as Calico:
+
+    ```bash
+    kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
+    ```
+
+    Alternatively, consider Cilium.
+
+*   Implement a default-deny NetworkPolicy:
+
+    ```yaml
+    apiVersion: networking.k8s.io/v1
+    kind: NetworkPolicy
+    metadata:
+      name: default-deny
+      namespace: my-namespace
+    spec:
+      podSelector: {}
+      policyTypes:
+      - Ingress
+      - Egress
+    ```
+
+    Save the above as `default-deny.yaml` and apply it to your namespace:
+
+    ```bash
+    kubectl apply -f default-deny.yaml
+    ```
+
+    Follow this up with explicit `allow` policies for necessary services.
+
+### 7. Cluster Hardening & Scans
+
+*   **kube-bench (CIS Benchmarks):**
+
+    ```bash
+    kubectl run --rm -it --image aquasec/kube-bench:latest kube-bench -- /kube-bench --version 1.23
+    ```
+
+    Refer to the kube-bench documentation for running as a Job or Pod.
+
+*   **kube-linter / kube-score (Static Manifest Checks):**
+
+    Install the CLI tool locally and analyze your Kubernetes manifests.
+
+*   **kube-hunter (Penetration Testing):**
+
+    ```bash
+    docker run aquasec/kube-hunter:latest --remote <K8S_API_ENDPOINT>
+    ```
+
+## Configuration
+
+This section provides example configuration files and tips to customize the setup for a home Kubernetes cluster.
+
+### Example `values.yaml` for `kube-prometheus-stack`
+
+This reduces resource usage and avoids the need for external object storage for Alertmanager, which is not needed at home.  It disables default dashboards you might not need initially and cuts down some Prometheus retention.
+
+```yaml
+# values.yaml for kube-prometheus-stack
+
+prometheus:
+  prometheusSpec:
+    # reduce resource rqts / limits
+    resources:
+       requests:
+         memory: 1Gi
+         cpu: 200m
+       limits:
+         memory: 2Gi
+         cpu: 500m
+
+    # Reduce storage retention
+    retention: 7d
+    storageSpec:
+      volumeClaimTemplate:
+        spec:
+          storageClassName: "local-path" # Or your storage class
+          accessModes: ["ReadWriteOnce"]
+          resources:
+            requests:
+              storage: 10Gi # adjust as needed
+
+alertmanager:
+  enabled: false # for quick home setup, send directly to telegram etc.
+grafana:
+  enabled: true
+  defaultDashboardsEnabled: false   # Disable default dashboards
+  sidecar:
+    dashboards:
+      enabled: true
+      provider:
+        folders:
+          fromConfigMap: true # Load custom dashboards from ConfigMaps
+
+kube-state-metrics:
+ enabled: true
+
+nodeExporter:
+  enabled: true
+```
+
+To use this configuration, save it as `values.yaml` and run:
+
+```bash
+helm install kube-prometheus prometheus-community/kube-prometheus-stack --namespace monitoring -f values.yaml
+```
+
+Adapt the `storageClassName` and storage amounts to your environment.
+
+### Example Kyverno Policy - Disallow Root User / Require Distroless
+
+This example expands on the previous policy.  It requires images not run as UID 0 and suggests distroless images.  It still requires privilege escalation to be forbidden:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-non-root-user-and-distroless
+  annotations:
+    policies.kyverno.io/title: Require Non-Root User and Distroless Images
+    policies.kyverno.io/category: Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Containers should not run as root, and ideally, be based on Distroless
+      images where possible. This policy requires that containers define
+      `runAsUser`, and that `runAsUser` is not `0`.  It also generates a warning
+      if the image is not based on a distroless image, although does not reject
+      the deployment.
+
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: check-runasnonroot
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: "Containers must not run as root. Specify a non-zero runAsUser in securityContext."
+        pattern:
+          spec:
+            containers:
+              - securityContext:
+                  runAsUser: "!0" # not equal to zero
+    - name: check-allowprivilegeescalation
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: "Containers must set allowPrivilegeEscalation to false."
+        pattern:
+          spec:
+            containers:
+              - securityContext:
+                  allowPrivilegeEscalation: "false"
+    - name: warn-distroless
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      verifyImages:
+        - imageReferences:
+            - "*"  # all images
+          attestations:
+            - policy:
+                subjects:
+                  - name: distroless
+                conditions:
+                  all:
+                    - key: "ghcr.io/distroless/static:latest"  # Example -  Check if the image is distroless.  You can use wildcards
+                      operator: In
+                      value: "{{ image.repoDigests }}"
+                  # You can add other keys and values to check
+
+      mutate:
+        overlay:
+          metadata:
+            annotations:
+              "image.distroless.warn": "This image isn't distroless -- see https://github.com/GoogleContainerTools/distroless"
+```
+
+### Alertmanager to Telegram
+
+1.  **Create a Telegram Bot:** Search for `@BotFather` on Telegram. Use the `/newbot` command. Give your bot a name and a unique username.  BotFather will give you the bot's API token.
+
+2.  **Get your Telegram Chat ID:** Send a message to your bot.  Then, in a browser, go to  `https://api.telegram.org/bot<YOUR_BOT_API_TOKEN>/getUpdates` (replace `<YOUR_BOT_API_TOKEN>`). The `chat.id` value in the JSON response is your chat ID.
+
+3.  **Create a Secret in Kubernetes:**
+
+    ```bash
+    kubectl create secret generic telegram-secrets \
+      --from-literal=bot_token="<YOUR_BOT_API_TOKEN>" \
+      --from-literal=chat_id="<YOUR_CHAT_ID>"
+    ```
+
+    Replace the placeholders with the correct values.
+
+4.  **Add Alertmanager Configuration:**
+
+    You'll need to patch the default Alertmanager configuration provided by `kube-prometheus-stack`.  Because we disabled the Alertmanager component from the chart for simplicitly's sake, we'll instead rely on defining an additional prometheusRule that sends alerts to a webhook (and have a small sidecar container forward them to telegram).
+
+Example:
+
+```yaml
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  labels:
+    prometheus: k8s
+    role: alert-rules
+  name: promethus-to-telegram
+  namespace: monitoring
+spec:
+  groups:
+    - name: kubernetes-home-cluster
+      rules:
+        - alert: PrometheusToTelegramAlert
+          annotations:
+            description: 'Alert sent from Prometheus goes to telegram'
+          expr: vector(1)
+          labels:
+            severity: critical
+          for: 1s
+          actions:
+            - name: SendToTelegramAction
+              url: 'http://localhost:8080/message'
+              parameters:
+                text: Alert from Prometheus: {{ .Alerts.Firing | len }} firing alert{{ if gt (len .Alerts.Firing) 1 }}s{{ end }}.\nSeverity: {{ .CommonLabels.severity }}\nDescription: {{ .CommonAnnotations.description }}
+```
+
+Now you will create a deployment that runs a small webhook server forwarding these alerts to telegram:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: prometheus-telegram
+  namespace: monitoring
+spec:
+  selector:
+    matchLabels:
+      app: prometheus-telegram
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: prometheus-telegram
+    spec:
+      containers:
+      - name: webhook
+        image: nginx
+        ports:
+        - containerPort: 8080
+      - name: telegram-forwarder
+        image: alpine/curl
+        command: ["/bin/sh"]
+        args:
+        - "-c"
+        - |
+          while true; do
+            nc -l -p 8080 | sed 's/text=/text=Alert from Prometheus: /g' | curl -sS --fail -X POST "https://api.telegram.org/bot$(TELEGRAM_BOT_TOKEN)/sendMessage" -d chat_id=$(TELEGRAM_CHAT_ID) -d "$$(cat)"
+            sleep 1;
+          done
+        env:
+        - name: TELEGRAM_BOT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: telegram-secrets
+              key: bot_token
+        - name: TELEGRAM_CHAT_ID
+          valueFrom:
+            secretKeyRef:
+              name: telegram-secrets
+              key: chat_id
+```
+
+**Explanation:**
+
+*   It creates an Nginx pod for a HTTP listener to avoid unnecessary security errors in Promethues,
+*   The `telegram-forwarder` container uses `curl` and `nc` to forward the POST from Prometheus to the Telegram API, using the secrets for authentication.
+
+## Operational Tips
+
+*   **Resource Management:**  Set resource limits and requests for components, especially Prometheus and Grafana. Adjust scrape intervals for Prometheus to reduce load.
+*   **Persistence:**  Use persistent volumes for Grafana and Prometheus to preserve dashboards and historical data.
+*   **Alerting:**  Configure Alertmanager with a Telegram or Discord webhook for notifications. This is *simpler* than email for home setups.
+*   **Trivy & Image Blocking:** To automatically block vulnerable images, integrate Trivy with admission webhooks (using Kyverno to reject deployments based on Trivy reports).
+*   **Backups:** Regularly back up etcd (if self-hosting the control plane) and potentially Prometheus/Grafana data.
+
+## Getting Started Quickly
+
+Follow this installation order:
+
+1.  Install your `CNI`.
+2.  Install `kube-prometheus-stack`, using `values.yaml` to reduce resources.
+3.  Install Grafana and import dashboards.
+4.  Enable PSA on namespaces.
+5.  Install Kyverno and create deny policies.
+6.  Install Trivy Operator for image scanning visibility.
+7.  Install Falco for runtime detection.
+8.  Run `kube-bench` and `kube-linter` for initial assessment.
+
+## Useful Resources
+
+*   [kube-prometheus-stack (Helm)](https://github.com/prometheus-community/helm-charts)
+*   [trivy-operator](https://github.com/aquasecurity/trivy-operator)
+*   [Kyverno](https://kyverno.io/)
+*   [Falco](https://falco.org/)
+*   [Calico CNI](https://www.tigera.io/project-calico/)
+*  [Aqua kube-hunter, kube-bench, kube-linter](https://www.aquasec.com/)
+
+This README provides a solid foundation for setting up monitoring and security on your home Kubernetes cluster.  Adapt the configurations and policies to your specific needs and experiment!

docs/prepare-server.md

@@ -0,0 +1,216 @@
+Here's the guide formatted as a `README.md` file, ready for a GitHub repository or local documentation.
+
+```markdown
+# Optimizing Debian for K3s
+
+This guide outlines steps to optimize a Debian server for running K3s (Lightweight Kubernetes). Optimization involves a combination of general Linux best practices, K3s-specific recommendations, and considerations for your specific workload.
+
+## Table of Contents
+
+- [1. Debian Base System Optimization](#1-debian-base-system-optimization)
+  - [a. Kernel Parameters (sysctl.conf)](#a-kernel-parameters-sysctlconf)
+  - [b. User Limits (ulimit)](#b-user-limits-ulimit)
+  - [c. Disable Unnecessary Services](#c-disable-unnecessary-services)
+  - [d. Update System](#d-update-system)
+  - [e. Swap Configuration](#e-swap-configuration)
+- [2. K3s Specific Optimizations](#2-k3s-specific-optimizations)
+  - [a. Choose a Performant Storage Backend](#a-choose-a-performant-storage-backend)
+  - [b. Containerd Tuning](#b-containerd-tuning)
+  - [c. K3s Server and Agent Configuration](#c-k3s-server-and-agent-configuration)
+  - [d. CNI Choice](#d-cni-choice)
+- [3. General Server Best Practices](#3-general-server-best-practices)
+  - [a. Fast Storage](#a-fast-storage)
+  - [b. Adequate RAM and CPU](#b-adequate-ram-and-cpu)
+  - [c. Network Configuration](#c-network-configuration)
+  - [d. Monitoring](#d-monitoring)
+  - [e. Logging](#e-logging)
+- [4. Post-Optimization Verification](#4-post-optimization-verification)
+
+---
+
+## 1. Debian Base System Optimization
+
+These steps are generally beneficial for any server, but particularly important for containerized environments like K3s.
+
+### a. Kernel Parameters (sysctl.conf)
+
+Edit `/etc/sysctl.conf` and apply changes with `sudo sysctl -p`.
+
+```ini
+# Increase maximum open files (for container processes, K3s components)
+fs.inotify.max_user_watches = 524288 # For fs-based operations within containers
+fs.inotify.max_user_instances = 8192 # For fs-based operations within containers
+fs.file-max = 2097152 # Increase overall system file handle limit
+
+# Increase limits for network connections
+net.core.somaxconn = 65535 # Max backlog of pending connections
+net.ipv4.tcp_tw_reuse = 1 # Allow reuse of TIME_WAIT sockets (caution: can sometimes mask issues)
+net.ipv4.tcp_fin_timeout = 30 # Reduce TIME_WAIT duration
+net.ipv4.tcp_max_syn_backlog = 65535 # Max number of remembered connection requests
+net.ipv4.tcp_keepalive_time=600 # Shorter keepalive interval
+net.ipv4.tcp_keepalive_intvl=60 # Keepalive interval
+net.ipv4.tcp_keepalive_probes=3 # Keepalive probes
+
+# Increase memory limits for network buffers (especially if high network traffic)
+net.core.rmem_max = 26214400
+net.core.wmem_max = 26214400
+net.core.rmem_default = 26214400
+net.core.wmem_default = 26214400
+
+# Other useful parameters
+vm.max_map_count = 262144 # Essential for Elasticsearch, MongoDB, etc.
+vm.dirty_ratio = 5 # Reduce dirty page percentage for better write performance
+vm.dirty_background_ratio = 10 # Reduce dirty page percentage for better write performance
+kernel.pid_max = 4194304 # Increase max PIDs
+```
+
+**Explanation:**
+- `fs.file-max`: K3s and its deployed containers can open a large number of files. Increasing this prevents "Too many open files" errors.
+- `net.*`: These parameters help in handling a high number of concurrent network connections crucial for a Kubernetes cluster.
+- `vm.max_map_count`: Required by some applications that run on Kubernetes (e.g., Elasticsearch).
+
+### b. User Limits (ulimit)
+
+Edit `/etc/security/limits.conf` (or create a file like `/etc/security/limits.d/k3s.conf`) for all users, or specifically for the user K3s runs as (often `root` by default or a dedicated `k3s` user).
+
+```
+# For all users (or a specific k3s user if you configure it)
+*    soft nofile 65536
+*    hard nofile 131072
+*    soft nproc  65536
+*    hard nproc  131072
+```
+**Note:** A reboot or logging out/in is often required for these changes to take effect for user sessions. Services typically pick up new limits upon restart.
+
+**Explanation:**
+- `nofile` (number of open files): Sets the per-user/per-process limit. K3s and pods need a high limit.
+- `nproc` (number of processes): Each container consumes processes. A high limit prevents hitting a ceiling.
+
+### c. Disable Unnecessary Services
+
+Reducing background services frees up CPU, RAM, and I/O.
+```bash
+sudo systemctl disable --now apache2 # Example, replace with actual unused services
+sudo systemctl disable --now nginx    # Example
+sudo systemctl disable --now cups     # If not using printing
+sudo systemctl disable --now modemmanager # If not using a modem
+sudo systemctl disable --now bluetooth # If no bluetooth devices
+# Review active services using:
+# systemctl list-unit-files --type=service --state=enabled
+```
+
+### d. Update System
+
+Keep your system packages up-to-date for security and performance bug fixes.
+```bash
+sudo apt update
+sudo apt upgrade -y
+sudo apt dist-upgrade -y # For major version changes (if applicable)
+sudo apt autoremove -y
+sudo reboot # After significant kernel or base system updates
+```
+
+### e. Swap Configuration
+
+**It is generally recommended to disable swap on K3s nodes, especially worker nodes.** Swapping can severely degrade performance in containerized environments due to unpredictable latency.
+
+If you absolutely must have swap (e.g., very low memory server, not recommended for production):
+*   Reduce swappiness: `sudo sysctl vm.swappiness=10` (or even `1`). Add `vm.swappiness = 10` to `/etc/sysctl.conf`.
+*   Preferably, disable swap entirely if you have sufficient RAM:
+    ```bash
+    sudo swapoff -a
+    sudo sed -i '/ swap / s/^/#/' /etc/fstab
+    ```
+    **WARNING:** Only disable swap if your system has sufficient RAM to handle its workload without it. If nodes run out of memory without swap, processes will be OOM-killed, leading to instability.
+
+## 2. K3s Specific Optimizations
+
+### a. Choose a Performant Storage Backend
+
+The choice of K3s's data store significantly impacts performance and availability.
+
+*   **SQLite (Default):** Good for single-node setups or small, non-critical clusters. Performance can degrade with many changes or large clusters.
+*   **External Database (MariaDB/MySQL, PostgreSQL):**
+    *   **Recommended for Production:** Offers high availability and better performance than embedded SQLite for multi-node K3s server configurations.
+    *   **Placement:** Place the external database on a separate server or on a dedicated, fast storage volume.
+*   **External etcd:** Offers the best performance and scalability, but is more complex to manage and requires its own dedicated etcd cluster.
+
+### b. Containerd Tuning
+
+K3s uses containerd as its container runtime.
+
+*   **Fast Storage for Containerd:** Ensure the directories where containerd stores its data are on fast storage (NVMe SSDs are ideal).
+    *   `/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs` (K3s specific)
+    *   (`/var/lib/containerd` if using a standalone containerd setup)
+    This is critical for image pulls, container startup, and overlayfs performance.
+
+### c. K3s Server and Agent Configuration
+
+Configure K3s using a configuration file (e.g., `/etc/rancher/k3s/config.yaml`) or command-line flags.
+
+*   **Disable Unused Components:** Reduce resource consumption by disabling features you don't need.
+    *   `--disable traefik`: If using Nginx Ingress Controller or another ingress.
+    *   `--disable servicelb`: If using a cloud provider Load Balancer, MetalLB, or another solution.
+    *   `--disable local-storage`: If using cloud provider storage, NFS, or another remote storage solution.
+    *   `--disable metrics-server`: If using a different metrics solution or don't need it.
+    *   `--disable helm-controller`: If exclusively using `kubectl` for deployments.
+
+    **Example `/etc/rancher/k3s/config.yaml` for a server node:**
+    ```yaml
+    # /etc/rancher/k3s/config.yaml
+    server: true
+    disable:
+      - traefik
+      - servicelb
+      - local-storage
+      - metrics-server
+    # Example for external database
+    # datastore-endpoint: "mysql://k3s:password@tcp(db-server:3306)/kube?parseTime=true"
+    ```
+
+### d. CNI Choice
+
+K3s defaults to Flannel (with VXLAN), which is performant for many use cases.
+*   **Alternative CNIs (Calico, Cilium):** If you require advanced network policies, superior performance in high-throughput scenarios, or specific networking features, consider replacing Flannel. These can offer better raw throughput or lower latency but add complexity.
+    *   If installing K3s, you'd typically skip Flannel installation (`--flannel-backend=none`) then install your chosen CNI.
+    *   Ensure your chosen CNI is optimized with the correct kernel modules and sysctls.
+
+## 3. General Server Best Practices
+
+### a. Fast Storage
+
+*   **SSD/NVMe:** Absolutely crucial for K3s performance, especially for the K3s data directory (`$K3S_DATA_DIR`, default: `/var/lib/rancher/k3s`), `/var/lib/containerd`, and the operating system itself. Pod startup times, image pulls, and database operations are heavily I/O bound.
+*   **RAID:** If using multiple drives, consider RAID1 or RAID10 for redundancy and increased I/O performance.
+
+### b. Adequate RAM and CPU
+
+*   **RAM:** K3s servers (especially with embedded SQLite) require more RAM. Worker nodes also need ample RAM for their pods. Err on the side of more RAM.
+*   **CPU:** Ensure sufficient CPU cores for K3s components, containers, and your workloads.
+
+### c. Network Configuration
+
+*   **Gigabit Ethernet (at least):** 10Gbps or faster is ideal for larger clusters or high-bandwidth applications.
+*   **MTU:** Ensure consistent MTU settings across all nodes and your network infrastructure. K3s default CNI (Flannel VXLAN) might use a smaller MTU (e.g., 1450) due to encapsulation overhead. Misconfigured MTU can lead to packet fragmentation and performance issues.
+*   **Jumbo Frames:** If your network supports it and all components are configured for it, jumbo frames (e.g., 9000 bytes MTU) can reduce overhead and improve throughput, but requires careful and consistent configuration.
+
+### d. Monitoring
+
+*   **Prometheus/Grafana:** Essential for monitoring resource usage (CPU, RAM, disk I/O, network) of your nodes and K3s components. This helps identify and diagnose bottlenecks.
+*   **Kube-state-metrics:** Provides metrics about Kubernetes objects.
+*   **Node Exporter:** Provides system-level metrics.
+*   **cAdvisor (usually bundled with container runtimes):** Provides container-level metrics.
+
+### e. Logging
+
+*   **Centralized Logging (ELK Stack, Loki, etc.):** Stream logs from K3s components and pods to a central logging system for easier debugging, troubleshooting, and performance analysis.
+
+## 4. Post-Optimization Verification
+
+1.  **Reboot:** After making changes to kernel parameters or `limits.conf`, a full system reboot is often the safest way to ensure all changes are fully applied.
+2.  **Verify sysctl settings:** `sudo sysctl -a | grep -i <parameter_name>` (e.g., `sudo sysctl -a | grep -i fs.file-max`)
+3.  **Verify ulimits:** Check `ulimit -n` and `ulimit -u` in a new shell. For specific running processes, inspect `/proc/<pid>/limits`.
+4.  **Monitor Performance:** Use tools like `htop`, `iostat`, `netstat`, `dstat`, and your installed monitoring stack (Prometheus/Grafana) to observe the impact of your changes. Look for reduced CPU usage, lower I/O wait, improved network throughput, and stable memory usage.
+5.  **Test Workloads:** Deploy your actual applications and perform load testing to ensure the optimizations yield the desired performance benefits under realistic conditions.
+
+By diligently following these steps, you can establish a robust and highly performant Debian environment for your K3s cluster. Always test changes in a staging or development environment before applying them to production systems.
+```

docs/writing-custom-resources.md

@@ -1,901 +0,0 @@
-# Writing Custom Resources
-
-This guide explains how to create and implement custom resources in the
-homelab-operator.
-
-## Overview
-
-Custom resources in this operator follow a structured pattern that includes:
-
-- **Specification schemas** using Zod for runtime validation
-- **Resource implementations** that extend the base `CustomResource` class
-- **Manifest creation** helpers for generating Kubernetes resources
-- **Reconciliation logic** to manage the desired state
-
-## Project Structure
-
-Each custom resource should be organized in its own directory under
-`src/custom-resouces/` with the following structure:
-
-```
-src/custom-resouces/{resource-name}/
-├── {resource-name}.ts              # Main definition file
-├── {resource-name}.schemas.ts      # Zod validation schemas
-├── {resource-name}.resource.ts     # Resource implementation
-└── {resource-name}.create-manifests.ts # Manifest generation helpers
-```
-
-## Quick Start
-
-This section walks through creating a complete custom resource from scratch.
-We'll build a `MyResource` that manages a web application with a deployment and
-service.
-
-### 1. Define Your Resource
-
-The main definition file registers your custom resource with the operator
-framework. This file serves as the entry point that ties together your schemas,
-implementation, and Kubernetes CRD definition.
-
-Create the main definition file (`{resource-name}.ts`):
-
-```typescript
-import { createCustomResourceDefinition } from "../../services/custom-resources/custom-resources.ts";
-import { GROUP } from "../../utils/consts.ts";
-
-import { MyResourceResource } from "./my-resource.resource.ts";
-import { myResourceSpecSchema } from "./my-resource.schemas.ts";
-
-const myResourceDefinition = createCustomResourceDefinition({
-  group: GROUP, // Uses your operator's API group (homelab.mortenolsen.pro)
-  version: "v1", // API version for this resource
-  kind: "MyResource", // The Kubernetes kind name (PascalCase)
-  names: {
-    plural: "myresources", // Plural name for kubectl (lowercase)
-    singular: "myresource", // Singular name for kubectl (lowercase)
-  },
-  spec: myResourceSpecSchema, // Zod schema for validation
-  create: (options) => new MyResourceResource(options), // Factory function
-});
-
-export { myResourceDefinition };
-```
-
-**Key Points:**
-
-- The `group` should always use the `GROUP` constant to maintain consistency
-- `kind` should be descriptive and follow Kubernetes naming conventions
-  (PascalCase)
-- `names.plural` is used in kubectl commands (`kubectl get myresources`)
-- The `create` function instantiates your resource implementation when a CR is
-  detected
-
-### 2. Create Validation Schemas
-
-Schemas define the structure and validation rules for your custom resource's
-specification. Using Zod provides runtime type safety and automatic validation
-of user input.
-
-Define your spec schema (`{resource-name}.schemas.ts`):
-
-```typescript
-import { z } from "zod";
-
-const myResourceSpecSchema = z.object({
-  // Required fields - these must be provided by users
-  hostname: z.string(), // Base hostname for the application
-  port: z.number().min(1).max(65535), // Container port (validated range)
-
-  // Optional fields with defaults - provide sensible fallbacks
-  replicas: z.number().min(1).default(1), // Number of pod replicas
-
-  // Enums - restrict to specific values with defaults
-  protocol: z.enum(["http", "https"]).default("https"),
-
-  // Nested objects - for complex configuration
-  database: z.object({
-    host: z.string(), // Database hostname
-    port: z.number(), // Database port
-    name: z.string(), // Database name
-  }).optional(), // Entire database config is optional
-});
-
-// Additional schemas for secrets, status, etc.
-// Separate schemas help organize different data types
-const myResourceSecretSchema = z.object({
-  apiKey: z.string(), // API key for external services
-  password: z.string(), // Database or service password
-});
-
-export { myResourceSecretSchema, myResourceSpecSchema };
-```
-
-**Schema Design Best Practices:**
-
-- **Required vs Optional**: Make fields required only when absolutely necessary
-- **Defaults**: Provide sensible defaults to reduce user configuration burden
-- **Validation**: Use Zod's built-in validators (`.min()`, `.max()`, `.email()`,
-  etc.)
-- **Enums**: Restrict values to prevent invalid configurations
-- **Nested Objects**: Group related configuration together
-- **Separate Schemas**: Create different schemas for different purposes (spec,
-  secrets, status)
-
-### 3. Implement the Resource
-
-The resource implementation is the core of your custom resource. It contains the
-business logic for managing Kubernetes resources and maintains the desired
-state. This class extends `CustomResource` and implements the reconciliation
-logic.
-
-Create the resource implementation (`{resource-name}.resource.ts`):
-
-```typescript
-import type { KubernetesObject } from "@kubernetes/client-node";
-import deepEqual from "deep-equal";
-
-import {
-  CustomResource,
-  type CustomResourceOptions,
-  type SubresourceResult,
-} from "../../services/custom-resources/custom-resources.custom-resource.ts";
-import {
-  ResourceReference,
-  ResourceService,
-} from "../../services/resources/resources.ts";
-
-import type { myResourceSpecSchema } from "./my-resource.schemas.ts";
-import {
-  createDeploymentManifest,
-  createServiceManifest,
-} from "./my-resource.create-manifests.ts";
-
-class MyResourceResource extends CustomResource<typeof myResourceSpecSchema> {
-  #deploymentResource = new ResourceReference();
-  #serviceResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    // Initialize resource references
-    this.#deploymentResource.current = resourceService.get({
-      apiVersion: "apps/v1",
-      kind: "Deployment",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    this.#serviceResource.current = resourceService.get({
-      apiVersion: "v1",
-      kind: "Service",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    // Set up event handlers for reconciliation
-    this.#deploymentResource.on("changed", this.queueReconcile);
-    this.#serviceResource.on("changed", this.queueReconcile);
-  }
-
-  #reconcileDeployment = async (): Promise<SubresourceResult> => {
-    const manifest = createDeploymentManifest({
-      name: this.name,
-      namespace: this.namespace,
-      ref: this.ref,
-      spec: this.spec,
-    });
-
-    if (!this.#deploymentResource.current?.exists) {
-      await this.#deploymentResource.current?.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Creating",
-        message: "Creating deployment",
-      };
-    }
-
-    if (!deepEqual(this.#deploymentResource.current.spec, manifest.spec)) {
-      await this.#deploymentResource.current.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Updating",
-        message: "Deployment needs updates",
-      };
-    }
-
-    // Check if deployment is ready
-    const deployment = this.#deploymentResource.current;
-    const isReady =
-      deployment.status?.readyReplicas === deployment.status?.replicas;
-
-    return {
-      ready: isReady,
-      reason: isReady ? "Ready" : "Pending",
-      message: isReady ? "Deployment is ready" : "Waiting for pods to be ready",
-    };
-  };
-
-  #reconcileService = async (): Promise<SubresourceResult> => {
-    const manifest = createServiceManifest({
-      name: this.name,
-      namespace: this.namespace,
-      ref: this.ref,
-      spec: this.spec,
-    });
-
-    if (!deepEqual(this.#serviceResource.current?.spec, manifest.spec)) {
-      await this.#serviceResource.current?.patch(manifest);
-      return {
-        ready: false,
-        syncing: true,
-        reason: "Updating",
-        message: "Service needs updates",
-      };
-    }
-
-    return { ready: true };
-  };
-
-  public reconcile = async () => {
-    if (!this.exists || this.metadata.deletionTimestamp) {
-      return;
-    }
-
-    // Reconcile subresources
-    await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
-    await this.reconcileSubresource("Service", this.#reconcileService);
-
-    // Update overall ready condition
-    const deploymentReady =
-      this.conditions.get("Deployment")?.status === "True";
-    const serviceReady = this.conditions.get("Service")?.status === "True";
-
-    await this.conditions.set("Ready", {
-      status: deploymentReady && serviceReady ? "True" : "False",
-      reason: deploymentReady && serviceReady ? "Ready" : "Pending",
-      message: deploymentReady && serviceReady
-        ? "All resources are ready"
-        : "Waiting for resources to be ready",
-    });
-  };
-}
-
-export { MyResourceResource };
-```
-
-**Resource Implementation Breakdown:**
-
-**Constructor Setup:**
-
-- **Resource References**: Create `ResourceReference` objects to track managed
-  Kubernetes resources
-- **Service Access**: Use dependency injection to access operator services
-  (`ResourceService`)
-- **Event Handlers**: Listen for changes in managed resources to trigger
-  reconciliation
-- **Resource Registration**: Register references for Deployment and Service that
-  will be managed
-
-**Reconciliation Methods:**
-
-- **`#reconcileDeployment`**: Manages the application's Deployment resource
-  - Creates manifests using helper functions
-  - Checks if resource exists and creates/updates as needed
-  - Uses `deepEqual` to avoid unnecessary updates
-  - Returns status indicating readiness state
-- **`#reconcileService`**: Manages the Service resource for network access
-  - Similar pattern to deployment but typically simpler
-  - Services are usually ready immediately after creation
-
-**Main Reconcile Loop:**
-
-- **Deletion Check**: Early return if resource is being deleted
-- **Subresource Management**: Calls individual reconciliation methods
-- **Condition Updates**: Aggregates status from all subresources
-- **Status Reporting**: Updates the overall "Ready" condition
-
-**Key Design Patterns:**
-
-- **Private Methods**: Use `#` for private reconciliation methods
-- **Async/Await**: All reconciliation is asynchronous
-- **Resource References**: Track external resources with type safety
-- **Condition Management**: Provide clear status through Kubernetes conditions
-- **Event-Driven**: React to changes in managed resources automatically
-
-### 4. Create Manifest Helpers
-
-Manifest helpers are pure functions that generate Kubernetes resource
-definitions. They transform your custom resource's specification into standard
-Kubernetes objects. This separation keeps your reconciliation logic clean and
-makes manifests easy to test and modify.
-
-Define manifest creation functions (`{resource-name}.create-manifests.ts`):
-
-```typescript
-type CreateDeploymentManifestOptions = {
-  name: string;
-  namespace: string;
-  ref: any; // Owner reference
-  spec: {
-    hostname: string;
-    port: number;
-    replicas: number;
-  };
-};
-
-const createDeploymentManifest = (
-  options: CreateDeploymentManifestOptions,
-) => ({
-  apiVersion: "apps/v1",
-  kind: "Deployment",
-  metadata: {
-    name: options.name,
-    namespace: options.namespace,
-    ownerReferences: [options.ref],
-  },
-  spec: {
-    replicas: options.spec.replicas,
-    selector: {
-      matchLabels: {
-        app: options.name,
-      },
-    },
-    template: {
-      metadata: {
-        labels: {
-          app: options.name,
-        },
-      },
-      spec: {
-        containers: [
-          {
-            name: options.name,
-            image: "nginx:latest",
-            ports: [
-              {
-                containerPort: options.spec.port,
-              },
-            ],
-            env: [
-              {
-                name: "HOSTNAME",
-                value: options.spec.hostname,
-              },
-            ],
-          },
-        ],
-      },
-    },
-  },
-});
-
-type CreateServiceManifestOptions = {
-  name: string;
-  namespace: string;
-  ref: any;
-  spec: {
-    port: number;
-  };
-};
-
-const createServiceManifest = (options: CreateServiceManifestOptions) => ({
-  apiVersion: "v1",
-  kind: "Service",
-  metadata: {
-    name: options.name,
-    namespace: options.namespace,
-    ownerReferences: [options.ref],
-  },
-  spec: {
-    selector: {
-      app: options.name,
-    },
-    ports: [
-      {
-        port: 80,
-        targetPort: options.spec.port,
-      },
-    ],
-  },
-});
-
-export { createDeploymentManifest, createServiceManifest };
-```
-
-**Manifest Helper Patterns:**
-
-**Type Definitions:**
-
-- **Options Types**: Define clear interfaces for function parameters
-- **Structured Input**: Group related parameters in nested objects
-- **Type Safety**: Leverage TypeScript to catch configuration errors at compile
-  time
-
-**Deployment Manifest:**
-
-- **Owner References**: Ensures garbage collection when parent resource is
-  deleted
-- **Labels & Selectors**: Consistent labeling for pod selection and organization
-- **Container Configuration**: Maps custom resource spec to container settings
-- **Environment Variables**: Passes configuration from spec to running
-  containers
-- **Port Configuration**: Exposes application ports based on spec
-
-**Service Manifest:**
-
-- **Service Discovery**: Creates stable network endpoint for the deployment
-- **Port Mapping**: Routes external traffic to container ports
-- **Selector Matching**: Uses same labels as deployment for proper routing
-- **Owner References**: Links service lifecycle to custom resource
-
-**Best Practices for Manifest Helpers:**
-
-- **Pure Functions**: No side effects, same input always produces same output
-- **Immutable Objects**: Return new objects rather than modifying inputs
-- **Validation**: Let TypeScript catch type mismatches
-- **Consistent Naming**: Use predictable patterns for resource names
-- **Owner References**: Always set for proper cleanup
-- **Documentation**: Comment non-obvious configuration choices
-
-### 5. Register Your Resource
-
-Add your resource to `src/custom-resouces/custom-resources.ts`:
-
-```typescript
-import { myResourceDefinition } from "./my-resource/my-resource.ts";
-
-const customResources = [
-  // ... existing resources
-  myResourceDefinition,
-];
-```
-
-## Core Concepts
-
-These fundamental patterns are used throughout the operator framework.
-Understanding them is essential for building robust custom resources.
-
-### Resource References
-
-`ResourceReference` objects provide a strongly-typed way to track and manage
-Kubernetes resources that your custom resource creates or depends on. They
-automatically handle resource watching, caching, and change notifications.
-
-Use `ResourceReference` to manage related Kubernetes resources:
-
-```typescript
-import {
-  ResourceReference,
-  ResourceService,
-} from "../../services/resources/resources.ts";
-
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  #deploymentResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    this.#deploymentResource.current = resourceService.get({
-      apiVersion: "apps/v1",
-      kind: "Deployment",
-      name: this.name,
-      namespace: this.namespace,
-    });
-
-    // Listen for changes
-    this.#deploymentResource.on("changed", this.queueReconcile);
-  }
-}
-```
-
-**Why Resource References Matter:**
-
-- **Automatic Watching**: Changes to referenced resources trigger reconciliation
-- **Type Safety**: Get compile-time checking for resource properties
-- **Lifecycle Management**: Easily check if resources exist and their current
-  state
-- **Event Handling**: React to external changes without polling
-- **Caching**: Avoid repeated API calls for the same resource data
-
-### Conditions
-
-Kubernetes conditions provide a standardized way to communicate resource status.
-They follow the Kubernetes convention of expressing current state, reasons for
-that state, and human-readable messages. Conditions are crucial for operators
-and users to understand what's happening with resources.
-
-Use conditions to track the status of your resource:
-
-```typescript
-// Set a condition
-await this.conditions.set("Ready", {
-  status: "True",
-  reason: "AllResourcesReady",
-  message: "All subresources are ready",
-});
-
-// Get a condition
-const isReady = this.conditions.get("Ready")?.status === "True";
-```
-
-**Condition Best Practices:**
-
-- **Standard Names**: Use common condition types like "Ready", "Available",
-  "Progressing"
-- **Clear Status**: Use "True", "False", or "Unknown" following Kubernetes
-  conventions
-- **Descriptive Reasons**: Provide specific reason codes for troubleshooting
-- **Helpful Messages**: Include actionable information for users
-- **Consistent Updates**: Always update conditions during reconciliation
-
-### Subresource Reconciliation
-
-The `reconcileSubresource` method provides a standardized way to manage
-individual components of your custom resource. It automatically handles
-condition updates, error management, and status aggregation. This pattern keeps
-your main reconciliation loop clean and ensures consistent error handling.
-
-Use `reconcileSubresource` to manage individual components:
-
-```typescript
-public reconcile = async () => {
-  // This automatically manages conditions and error handling
-  await this.reconcileSubresource("Deployment", this.#reconcileDeployment);
-  await this.reconcileSubresource("Service", this.#reconcileService);
-};
-```
-
-**Subresource Reconciliation Benefits:**
-
-- **Automatic Condition Management**: Sets conditions based on reconciliation
-  results
-- **Error Isolation**: Failures in one subresource don't stop others
-- **Status Aggregation**: Combines individual component status into overall
-  status
-- **Consistent Patterns**: Same error handling and retry logic across all
-  components
-- **Observability**: Clear visibility into which components are having issues
-
-### Deep Equality Checks
-
-Deep equality checks prevent unnecessary API calls and resource churn.
-Kubernetes resources should only be updated when their desired state actually
-differs from their current state. This improves performance and reduces cluster
-load.
-
-Use `deepEqual` to avoid unnecessary updates:
-
-```typescript
-import deepEqual from "deep-equal";
-
-if (!deepEqual(currentResource.spec, desiredManifest.spec)) {
-  await currentResource.patch(desiredManifest);
-}
-```
-
-**Deep Equality Benefits:**
-
-- **Performance**: Avoids unnecessary API calls to Kubernetes
-- **Reduced Churn**: Prevents resource version conflicts and unnecessary events
-- **Stability**: Reduces reconciliation loops and system noise
-- **Efficiency**: Lets you focus compute on actual changes
-- **Observability**: Cleaner audit logs with only meaningful changes
-
-**When to Use Deep Equality:**
-
-- **Spec Comparisons**: Before updating any Kubernetes resource
-- **Status Updates**: Only update status when values actually change
-- **Metadata Updates**: Check labels and annotations before patching
-- **Complex Objects**: Especially useful for nested configuration objects
-
-## Advanced Patterns
-
-These patterns handle more complex scenarios like secret management, resource
-dependencies, and sophisticated error handling. Use these when building
-production-ready operators that need to handle real-world complexity.
-
-### Working with Secrets
-
-Many resources need to manage secrets. Here's a pattern for secret management:
-
-```typescript
-import { SecretService } from "../../services/secrets/secrets.ts";
-
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const secretService = this.services.get(SecretService);
-
-    // Get or create a secret
-    this.secretRef = secretService.get({
-      name: `${this.name}-secret`,
-      namespace: this.namespace,
-    });
-  }
-
-  #ensureSecret = async () => {
-    const secretData = {
-      apiKey: generateApiKey(),
-      password: generatePassword(),
-    };
-
-    if (!this.secretRef.current?.exists) {
-      await this.secretRef.current?.patch({
-        apiVersion: "v1",
-        kind: "Secret",
-        metadata: {
-          name: this.secretRef.current.name,
-          namespace: this.secretRef.current.namespace,
-          ownerReferences: [this.ref],
-        },
-        data: secretData,
-      });
-    }
-  };
-}
-```
-
-### Cross-Resource Dependencies
-
-When your resource depends on other custom resources:
-
-```typescript
-class MyResource extends CustomResource<typeof myResourceSpecSchema> {
-  #dependentResource = new ResourceReference();
-
-  constructor(options: CustomResourceOptions<typeof myResourceSpecSchema>) {
-    super(options);
-    const resourceService = this.services.get(ResourceService);
-
-    // Reference another custom resource
-    this.#dependentResource.current = resourceService.get({
-      apiVersion: "homelab.mortenolsen.pro/v1",
-      kind: "PostgresDatabase",
-      name: this.spec.database,
-      namespace: this.namespace,
-    });
-
-    this.#dependentResource.on("changed", this.queueReconcile);
-  }
-
-  #reconcileApp = async (): Promise<SubresourceResult> => {
-    // Check if dependency is ready
-    const dependency = this.#dependentResource.current;
-    if (!dependency?.exists) {
-      return {
-        ready: false,
-        failed: true,
-        reason: "MissingDependency",
-        message: `PostgresDatabase ${this.spec.database} not found`,
-      };
-    }
-
-    const dependencyReady = dependency.status?.conditions?.find(
-      (c) => c.type === "Ready" && c.status === "True",
-    );
-
-    if (!dependencyReady) {
-      return {
-        ready: false,
-        reason: "WaitingForDependency",
-        message:
-          `Waiting for PostgresDatabase ${this.spec.database} to be ready`,
-      };
-    }
-
-    // Continue with reconciliation...
-  };
-}
-```
-
-### Error Handling
-
-Proper error handling in reconciliation:
-
-```typescript
-#reconcileDeployment = async (): Promise<SubresourceResult> => {
-  try {
-    // Reconciliation logic...
-    return { ready: true };
-  } catch (error) {
-    return {
-      ready: false,
-      failed: true,
-      reason: 'ReconciliationError',
-      message: `Failed to reconcile deployment: ${error.message}`,
-    };
-  }
-};
-```
-
-## Example Usage
-
-Once your custom resource is implemented and registered, users can create
-instances using standard Kubernetes manifests. The operator will automatically
-detect new resources and begin reconciliation based on your implementation
-logic.
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: MyResource
-metadata:
-  name: my-app
-  namespace: default
-spec:
-  hostname: my-app.example.com
-  port: 8080
-  replicas: 3
-  protocol: https
-  database:
-    host: postgres.default.svc.cluster.local
-    port: 5432
-    name: myapp
-```
-
-**What happens when this resource is created:**
-
-1. **Validation**: The operator validates the spec against your Zod schema
-2. **Resource Creation**: Your `MyResourceResource` class is instantiated
-3. **Reconciliation**: The operator creates a Deployment with 3 replicas and a
-   Service
-4. **Status Updates**: Conditions are set to track deployment and service
-   readiness
-5. **Event Handling**: The operator watches for changes and re-reconciles as
-   needed
-
-Users can then monitor the resource status with:
-
-```bash
-kubectl get myresources my-app -o yaml
-kubectl describe myresource my-app
-```
-
-## Real Examples
-
-These examples show how the patterns described above are used in practice within
-the homelab-operator.
-
-### Simple Resource: Domain
-
-The `Domain` resource demonstrates a straightforward custom resource that
-manages external dependencies. It creates and manages TLS certificates through
-cert-manager and configures Istio gateways for HTTPS traffic routing.
-
-**What it does:**
-
-- Creates a cert-manager Certificate for TLS termination
-- Configures an Istio Gateway for traffic routing
-- Manages the lifecycle of both resources through owner references
-- Provides wildcard certificate support for subdomains
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: Domain
-metadata:
-  name: homelab
-  namespace: homelab
-spec:
-  hostname: local.olsen.cloud # Domain for certificate and gateway
-  issuer: letsencrypt-prod # cert-manager ClusterIssuer to use
-```
-
-**Key Implementation Features:**
-
-- **CRD Dependency Checking**: Validates that cert-manager and Istio CRDs exist
-- **Cross-Namespace Resources**: Certificate is created in the istio-ingress
-  namespace
-- **Status Aggregation**: Combines certificate and gateway readiness into
-  overall status
-- **Wildcard Support**: Automatically configures `*.hostname` for subdomains
-
-### Complex Resource: AuthentikServer
-
-The `AuthentikServer` resource showcases a complex custom resource with multiple
-dependencies and sophisticated reconciliation logic. It deploys a complete
-identity provider solution with database and Redis dependencies.
-
-**What it does:**
-
-- Deploys Authentik identity provider with proper configuration
-- Manages database schema and user creation
-- Configures Redis connection for session storage
-- Sets up domain integration for SSO endpoints
-- Handles secret generation and rotation
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: AuthentikServer
-metadata:
-  name: homelab
-  namespace: homelab
-spec:
-  domain: homelab # References a Domain resource
-  database: test2 # References a PostgresDatabase resource
-  redis: redis # References a Redis connection
-```
-
-**Key Implementation Features:**
-
-- **Resource Dependencies**: Waits for Domain, PostgresDatabase, and Redis
-  resources
-- **Secret Management**: Generates and manages API keys, passwords, and tokens
-- **Service Configuration**: Creates comprehensive Kubernetes manifests
-  (Deployment, Service, Ingress)
-- **Health Checking**: Monitors application readiness and database connectivity
-- **Cross-Resource Communication**: Uses other custom resources' status and
-  outputs
-
-### Database Resource: PostgresDatabase
-
-The `PostgresDatabase` resource illustrates how to manage stateful resources and
-external system integration. It creates databases within an existing PostgreSQL
-instance and manages user permissions.
-
-**What it does:**
-
-- Creates a new database in an existing PostgreSQL server
-- Generates dedicated database user with appropriate permissions
-- Manages connection secrets for applications
-- Handles database cleanup and user removal
-
-```yaml
-apiVersion: homelab.mortenolsen.pro/v1
-kind: PostgresDatabase
-metadata:
-  name: test2
-  namespace: homelab
-spec:
-  connection: homelab/db # References PostgreSQL connection (namespace/name)
-```
-
-**Key Implementation Features:**
-
-- **External System Integration**: Connects to existing PostgreSQL instances
-- **User Management**: Creates database-specific users with minimal required
-  permissions
-- **Secret Generation**: Provides connection details to consuming applications
-- **Cleanup Handling**: Safely removes databases and users when resource is
-  deleted
-- **Connection Validation**: Verifies connectivity before marking as ready
-
-**Common Patterns Across Examples:**
-
-- **Owner References**: All managed resources have proper ownership for garbage
-  collection
-- **Condition Management**: Consistent status reporting through Kubernetes
-  conditions
-- **Resource Dependencies**: Graceful handling of missing or unready
-  dependencies
-- **Secret Management**: Secure generation and storage of credentials
-- **Cross-Resource Integration**: Resources reference and depend on each other
-  appropriately
-
-## Best Practices
-
-1. **Validation**: Always use Zod schemas for comprehensive spec validation
-2. **Idempotency**: Use `deepEqual` checks to avoid unnecessary updates
-3. **Conditions**: Provide clear status information through conditions
-4. **Owner References**: Always set owner references for created resources
-5. **Error Handling**: Provide meaningful error messages and failure reasons
-6. **Dependencies**: Handle missing dependencies gracefully
-7. **Cleanup**: Leverage Kubernetes garbage collection through owner references
-8. **Testing**: Create test manifests in `test-manifests/` for your resources
-
-## Troubleshooting
-
-- **Resource not reconciling**: Check if the resource is properly registered in
-  `custom-resources.ts`
-- **Validation errors**: Ensure your Zod schema matches the expected spec
-  structure
-- **Missing dependencies**: Verify that referenced resources exist and are ready
-- **Owner reference issues**: Make sure `ownerReferences` are set correctly for
-  garbage collection
-- **Condition not updating**: Ensure you're calling `this.conditions.set()` with
-  proper status values
-
-For more examples, refer to the existing custom resources in
-`src/custom-resouces/`.

images/backup/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine/git:latest@sha256:bd54f921f6d803dfa3a4fe14b7defe36df1b71349a3e416547e333aa960f86e3
+# or a more specific image like a Debian slim or Ubuntu base image.
+RUN apk add --no-cache restic fuse-overlayfs
+WORKDIR /app
+
+COPY backup.sh /app/backup.sh
+COPY cleanup.sh /app/cleanup.sh
+
+# Make scripts executable
+RUN chmod +x /app/backup.sh /app/cleanup.sh

images/backup/backup.sh

@@ -0,0 +1,35 @@
+#!/bin/sh
+
+set -e
+
+if [ -z "$RESTIC_PASSWORD" ]; then
+  echo "Error: RESTIC_PASSWORD environment variable is not set." >&2
+  exit 1
+fi
+
+RESTIC_REPOSITORY="/mnt/backup"
+SOURCE_DIR="/mnt/source"
+
+mkdir -p "$SOURCE_DIR"
+mkdir -p "/mnt/backup"
+
+echo "Starting Restic backup from $SOURCE_DIR to $RESTIC_REPOSITORY"
+
+echo "Checking/Initializing Restic repository..."
+restic init --repo "$RESTIC_REPOSITORY" || true
+
+echo "Running Restic backup..."
+restic backup \
+  -r "$RESTIC_REPOSITORY" \
+  "$SOURCE_DIR" \
+  --verbose \
+  --tag "daily"
+
+if [ $? -eq 0 ]; then
+  echo "Restic backup completed successfully!"
+else
+  echo "Restic backup failed!"
+  exit 1
+fi
+
+echo "Backup finished."

images/backup/cleanup.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+set -e
+
+if [ -z "$RESTIC_PASSWORD" ]; then
+  echo "Error: RESTIC_PASSWORD environment variable is not set." >&2
+  exit 1
+fi
+RESTIC_REPOSITORY="/mnt/backup"
+
+echo "Starting Restic cleanup for repository $RESTIC_REPOSITORY"
+
+echo "Checking Restic repository existence..."
+restic snapshots --repository "$RESTIC_REPOSITORY"
+
+# Restic forget and prune strategy
+# --keep-daily 7: Keep 7 most recent daily backups
+# --keep-weekly 4: Keep 4 most recent weekly backups
+# --keep-monthly 6: Keep 6 most recent monthly backups
+# --keep-yearly 1: Keep 1 most recent yearly backup
+# --prune: Actually delete data that's no longer referenced
+# --group-by host,paths: Group snapshots for retention by host and path.
+echo "Running Restic forget and prune..."
+restic forget \
+  --group-by host,paths \
+  --tag "daily" \
+  --keep-daily 7 \
+  --keep-weekly 4 \
+  --keep-monthly 6 \
+  --keep-yearly 1 \
+  --prune \
+  --verbose \
+  --repository "$RESTIC_REPOSITORY"
+
+if [ $? -eq 0 ]; then
+  echo "Restic cleanup completed successfully!"
+else
+  echo "Restic cleanup failed!"
+  exit 1
+fi
+
+echo "Cleanup finished."

images/operator/.gitignore

@@ -0,0 +1,39 @@
+# dependencies (bun install)
+node_modules
+
+# output
+out
+dist
+*.tgz
+
+# code coverage
+coverage
+*.lcov
+
+# logs
+logs
+_.log
+report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
+
+# dotenv environment variable files
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# caches
+.eslintcache
+.cache
+*.tsbuildinfo
+
+# IntelliJ based IDEs
+.idea
+
+# Finder (MacOS) folder config
+.DS_Store
+
+/data/
+
+/cloudflare.yaml
+/secret.*.yaml

images/operator/Dockerfile

@@ -0,0 +1,8 @@
+FROM node:23-slim@sha256:86191b94d2a163be41f3dc7fe5e5fcaca8ba2f1be7275d98a06343483c17414a
+RUN corepack enable
+WORKDIR /app
+COPY package.json pnpm-lock.yaml ./
+COPY patches ./patches
+RUN pnpm install --frozen-lockfile --prod
+COPY . .
+CMD ["node", "src/index.ts"]

images/operator/package.json

@@ -5,15 +5,15 @@
   "private": true,
   "devDependencies": {
     "@eslint/eslintrc": "3.3.1",
-    "@eslint/js": "9.32.0",
+    "@eslint/js": "9.36.0",
     "@types/deep-equal": "^1.0.4",
-    "eslint": "9.32.0",
+    "eslint": "9.36.0",
     "eslint-config-prettier": "10.1.8",
     "eslint-plugin-import": "2.32.0",
-    "eslint-plugin-prettier": "5.5.3",
+    "eslint-plugin-prettier": "5.5.4",
     "json-schema-to-typescript": "^15.0.4",
     "prettier": "3.6.2",
-    "typescript": "5.8.3",
+    "typescript": "5.9.2",
     "typescript-eslint": "8.38.0"
   },
   "peerDependencies": {
@@ -22,6 +22,8 @@
   "dependencies": {
     "@goauthentik/api": "2025.6.3-1751754396",
     "@kubernetes/client-node": "^1.3.0",
+    "cloudflare": "^5.0.0",
+    "cron": "^4.3.3",
     "debounce": "^2.2.0",
     "deep-equal": "^2.2.3",
     "dotenv": "^17.2.1",
@@ -29,19 +31,25 @@
     "execa": "^9.6.0",
     "knex": "^3.1.0",
     "p-queue": "^8.1.0",
-    "p-retry": "^6.2.1",
+    "p-retry": "^7.0.0",
     "pg": "^8.16.3",
     "sqlite3": "^5.1.7",
     "yaml": "^2.8.0",
     "zod": "^4.0.14"
   },
-  "packageManager": "pnpm@10.6.0",
+  "imports": {
+    "#services/*": "./src/services/*",
+    "#resources/*": "./src/resources/*",
+    "#bootstrap/*": "./src/bootstrap/*",
+    "#utils/*": "./src/utils/*"
+  },
+  "packageManager": "pnpm@10.17.1",
   "pnpm": {
     "onlyBuiltDependencies": [
       "sqlite3"
     ],
     "patchedDependencies": {
-      "@kubernetes/client-node": "patches/@kubernetes__client-node.patch"
+      "@kubernetes/client-node": "./patches/@kubernetes__client-node.patch"
     }
   },
   "scripts": {

images/operator/pnpm-lock.yaml

@@ -4,6 +4,11 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
+patchedDependencies:
+  '@kubernetes/client-node':
+    hash: 0b0e5d32aa2930107c8c9b45df2639faf53fa12a389a551885d6e42d71f9429d
+    path: patches/@kubernetes__client-node.patch
+
 importers:
 
   .:
@@ -13,7 +18,13 @@ importers:
         version: 2025.6.3-1751754396
       '@kubernetes/client-node':
         specifier: ^1.3.0
-        version: 1.3.0(encoding@0.1.13)
+        version: 1.3.0(patch_hash=0b0e5d32aa2930107c8c9b45df2639faf53fa12a389a551885d6e42d71f9429d)(encoding@0.1.13)
+      cloudflare:
+        specifier: ^5.0.0
+        version: 5.1.0(encoding@0.1.13)
+      cron:
+        specifier: ^4.3.3
+        version: 4.3.3
       debounce:
         specifier: ^2.2.0
         version: 2.2.0
@@ -22,7 +33,7 @@ importers:
         version: 2.2.3
       dotenv:
         specifier: ^17.2.1
-        version: 17.2.1
+        version: 17.2.2
       eventemitter3:
         specifier: ^5.0.1
         version: 5.0.1
@@ -34,10 +45,10 @@ importers:
         version: 3.1.0(pg@8.16.3)(sqlite3@5.1.7)
       p-queue:
         specifier: ^8.1.0
-        version: 8.1.0
+        version: 8.1.1
       p-retry:
-        specifier: ^6.2.1
-        version: 6.2.1
+        specifier: ^7.0.0
+        version: 7.0.0
       pg:
         specifier: ^8.16.3
         version: 8.16.3
@@ -46,32 +57,32 @@ importers:
         version: 5.1.7
       yaml:
         specifier: ^2.8.0
-        version: 2.8.0
+        version: 2.8.1
       zod:
         specifier: ^4.0.14
-        version: 4.0.14
+        version: 4.1.11
     devDependencies:
       '@eslint/eslintrc':
         specifier: 3.3.1
         version: 3.3.1
       '@eslint/js':
-        specifier: 9.32.0
-        version: 9.32.0
+        specifier: 9.36.0
+        version: 9.36.0
       '@types/deep-equal':
         specifier: ^1.0.4
         version: 1.0.4
       eslint:
-        specifier: 9.32.0
-        version: 9.32.0
+        specifier: 9.36.0
+        version: 9.36.0
       eslint-config-prettier:
         specifier: 10.1.8
-        version: 10.1.8(eslint@9.32.0)
+        version: 10.1.8(eslint@9.36.0)
       eslint-plugin-import:
         specifier: 2.32.0
-        version: 2.32.0(@typescript-eslint/parser@8.38.0(eslint@9.32.0)(typescript@5.8.3))(eslint@9.32.0)
+        version: 2.32.0(@typescript-eslint/parser@8.38.0(eslint@9.36.0)(typescript@5.9.2))(eslint@9.36.0)
       eslint-plugin-prettier:
-        specifier: 5.5.3
-        version: 5.5.3(eslint-config-prettier@10.1.8(eslint@9.32.0))(eslint@9.32.0)(prettier@3.6.2)
+        specifier: 5.5.4
+        version: 5.5.4(eslint-config-prettier@10.1.8(eslint@9.36.0))(eslint@9.36.0)(prettier@3.6.2)
       json-schema-to-typescript:
         specifier: ^15.0.4
         version: 15.0.4
@@ -79,11 +90,11 @@ importers:
         specifier: 3.6.2
         version: 3.6.2
       typescript:
-        specifier: 5.8.3
-        version: 5.8.3
+        specifier: 5.9.2
+        version: 5.9.2
       typescript-eslint:
         specifier: 8.38.0
-        version: 8.38.0(eslint@9.32.0)(typescript@5.8.3)
+        version: 8.38.0(eslint@9.36.0)(typescript@5.9.2)
 
 packages:
 
@@ -97,6 +108,12 @@ packages:
     peerDependencies:
       eslint: ^6.0.0 || ^7.0.0 || >=8.0.0
 
+  '@eslint-community/eslint-utils@4.9.0':
+    resolution: {integrity: sha512-ayVFHdtZ+hsq1t2Dy24wCmGXGe4q9Gu3smhLYALJrr473ZH27MsnSL+LKUlimp4BWJqMDMLmPpx/Q9R3OAlL4g==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+    peerDependencies:
+      eslint: ^6.0.0 || ^7.0.0 || >=8.0.0
+
   '@eslint-community/regexpp@4.12.1':
     resolution: {integrity: sha512-CCZCDJuduB9OUkFkY2IgppNZMi2lBQgD2qzwXkEia16cge2pijY/aXi96CJMquDMn3nJdlPV1A5KrJEXwfLNzQ==}
     engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0}
@@ -105,28 +122,28 @@ packages:
     resolution: {integrity: sha512-ENIdc4iLu0d93HeYirvKmrzshzofPw6VkZRKQGe9Nv46ZnWUzcF1xV01dcvEg/1wXUR61OmmlSfyeyO7EvjLxQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  '@eslint/config-helpers@0.3.0':
-    resolution: {integrity: sha512-ViuymvFmcJi04qdZeDc2whTHryouGcDlaxPqarTD0ZE10ISpxGUVZGZDx4w01upyIynL3iu6IXH2bS1NhclQMw==}
+  '@eslint/config-helpers@0.3.1':
+    resolution: {integrity: sha512-xR93k9WhrDYpXHORXpxVL5oHj3Era7wo6k/Wd8/IsQNnZUTzkGS29lyn3nAT05v6ltUuTFVCCYDEGfy2Or/sPA==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  '@eslint/core@0.15.1':
-    resolution: {integrity: sha512-bkOp+iumZCCbt1K1CmWf0R9pM5yKpDv+ZXtvSyQpudrI9kuFLp+bM2WOPXImuD/ceQuaa8f5pj93Y7zyECIGNA==}
+  '@eslint/core@0.15.2':
+    resolution: {integrity: sha512-78Md3/Rrxh83gCxoUc0EiciuOHsIITzLy53m3d9UyiW8y9Dj2D29FeETqyKA+BRK76tnTp6RXWb3pCay8Oyomg==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
   '@eslint/eslintrc@3.3.1':
     resolution: {integrity: sha512-gtF186CXhIl1p4pJNGZw8Yc6RlshoePRvE0X91oPGb3vZ8pM3qOS9W9NGPat9LziaBV7XrJWGylNQXkGcnM3IQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  '@eslint/js@9.32.0':
-    resolution: {integrity: sha512-BBpRFZK3eX6uMLKz8WxFOBIFFcGFJ/g8XuwjTHCqHROSIsopI+ddn/d5Cfh36+7+e5edVS8dbSHnBNhrLEX0zg==}
+  '@eslint/js@9.36.0':
+    resolution: {integrity: sha512-uhCbYtYynH30iZErszX78U+nR3pJU3RHGQ57NXy5QupD4SBVwDeU8TNBy+MjMngc1UyIW9noKqsRqfjQTBU2dw==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
   '@eslint/object-schema@2.1.6':
     resolution: {integrity: sha512-RBMg5FRL0I0gs51M/guSAj5/e14VQ4tpZnQNWwuDT66P14I43ItmPfIZRhO9fUVIPOAQXU47atlywZ/czoqFPA==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  '@eslint/plugin-kit@0.3.4':
-    resolution: {integrity: sha512-Ul5l+lHEcw3L5+k8POx6r74mxEYKG5kOb6Xpy2gCRW6zweT6TEhAf8vhxGgjhqrd/VO/Dirhsb+1hNpD1ue9hw==}
+  '@eslint/plugin-kit@0.3.5':
+    resolution: {integrity: sha512-Z5kJ+wU3oA7MMIqVR9tyZRtjYPr4OC004Q4Rw7pgOKUOKkJfZ3O24nz3WYfGRpMDNmcOi3TwQOmgm7B7Tpii0w==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
   '@gar/promisify@1.1.3':
@@ -229,15 +246,18 @@ packages:
   '@types/lodash@4.17.20':
     resolution: {integrity: sha512-H3MHACvFUEiujabxhaI/ImO6gUrd8oOurg7LQtS7mbwIXA/cUqWrvBsaeJ23aZEPk1TAYkurjfMbSELfoCXlGA==}
 
+  '@types/luxon@3.7.1':
+    resolution: {integrity: sha512-H3iskjFIAn5SlJU7OuxUmTEpebK6TKB8rxZShDslBMZJ5u9S//KM1sbdAisiSrqwLQncVjnpi2OK2J51h+4lsg==}
+
   '@types/node-fetch@2.6.12':
     resolution: {integrity: sha512-8nneRWKCg3rMtF69nLQJnOYUcbafYeFSjqkw3jCRLsqkWFlHaoQrr5mXmofFGOx3DKn7UfmBMyov8ySvLRVldA==}
 
+  '@types/node@18.19.123':
+    resolution: {integrity: sha512-K7DIaHnh0mzVxreCR9qwgNxp3MH9dltPNIEddW9MYUlcKAzm+3grKNSTe2vCJHI1FaLpvpL5JGJrz1UZDKYvDg==}
+
   '@types/node@22.16.5':
     resolution: {integrity: sha512-bJFoMATwIGaxxx8VJPeM8TonI8t579oRvgAuT8zFugJsJZgzqv0Fu8Mhp68iecjzG7cnN3mO2dJQ5uUM2EFrgQ==}
 
-  '@types/retry@0.12.2':
-    resolution: {integrity: sha512-XISRgDJ2Tc5q4TRqvgJtzsRkFYNJzZrhTdtMoGVBttwzzQJkPnS3WWTFc7kuDRoPtPakl+T+OfdEUjYJj7Jbow==}
-
   '@types/stream-buffers@3.0.7':
     resolution: {integrity: sha512-azOCy05sXVXrO+qklf0c/B07H/oHaIuDDAiHPVwlk3A9Ek+ksHyTeMajLZl3r76FxpPpxem//4Te61G1iW3Giw==}
 
@@ -303,6 +323,10 @@ packages:
   abbrev@1.1.1:
     resolution: {integrity: sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==}
 
+  abort-controller@3.0.0:
+    resolution: {integrity: sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==}
+    engines: {node: '>=6.5'}
+
   acorn-jsx@5.3.2:
     resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
     peerDependencies:
@@ -479,6 +503,9 @@ packages:
     resolution: {integrity: sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==}
     engines: {node: '>=6'}
 
+  cloudflare@5.1.0:
+    resolution: {integrity: sha512-J2vT90WHio8VSbGUmuHckJr9pabH6N+nQKQsgjfwydgV2bgyQoV/KqWw1Df+YKZ5T/QqP7KadKr4bxh+WiRafg==}
+
   color-convert@2.0.1:
     resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
     engines: {node: '>=7.0.0'}
@@ -507,6 +534,10 @@ packages:
   console-control-strings@1.1.0:
     resolution: {integrity: sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==}
 
+  cron@4.3.3:
+    resolution: {integrity: sha512-B/CJj5yL3sjtlun6RtYHvoSB26EmQ2NUmhq9ZiJSyKIM4K/fqfh9aelDFlIayD2YMeFZqWLi9hHV+c+pq2Djkw==}
+    engines: {node: '>=18.x'}
+
   cross-spawn@7.0.6:
     resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
@@ -591,8 +622,8 @@ packages:
     resolution: {integrity: sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==}
     engines: {node: '>=0.10.0'}
 
-  dotenv@17.2.1:
-    resolution: {integrity: sha512-kQhDYKZecqnM0fCnzI5eIv5L4cAe/iRI+HqMbO/hbRdTAeXDG+M9FjipUxNfbARuEg4iHIbhnhs78BCHNbSxEQ==}
+  dotenv@17.2.2:
+    resolution: {integrity: sha512-Sf2LSQP+bOlhKWWyhFsn0UsfdK/kCWRv1iuA2gXAwt3dyNabr6QSj00I2V10pidqz69soatm9ZwZvpQMTIOd5Q==}
     engines: {node: '>=12'}
 
   dunder-proto@1.0.1:
@@ -694,8 +725,8 @@ packages:
       '@typescript-eslint/parser':
         optional: true
 
-  eslint-plugin-prettier@5.5.3:
-    resolution: {integrity: sha512-NAdMYww51ehKfDyDhv59/eIItUVzU0Io9H2E8nHNGKEeeqlnci+1gCvrHib6EmZdf6GxF+LCV5K7UC65Ezvw7w==}
+  eslint-plugin-prettier@5.5.4:
+    resolution: {integrity: sha512-swNtI95SToIz05YINMA6Ox5R057IMAmWZ26GqPxusAp1TZzj+IdY9tXNWWD3vkF/wEqydCONcwjTFpxybBqZsg==}
     engines: {node: ^14.18.0 || >=16.0.0}
     peerDependencies:
       '@types/eslint': '>=8.0.0'
@@ -720,8 +751,8 @@ packages:
     resolution: {integrity: sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  eslint@9.32.0:
-    resolution: {integrity: sha512-LSehfdpgMeWcTZkWZVIJl+tkZ2nuSkyyB9C27MZqFWXuph7DvaowgcTvKqxvpLW1JZIk8PN7hFY3Rj9LQ7m7lg==}
+  eslint@9.36.0:
+    resolution: {integrity: sha512-hB4FIzXovouYzwzECDcUkJ4OcfOEkXTv2zRY6B9bkwjx/cprAq0uvm1nl7zvQ0/TsUk0zQiN4uPfJpB9m+rPMQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
     hasBin: true
     peerDependencies:
@@ -754,6 +785,10 @@ packages:
     resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==}
     engines: {node: '>=0.10.0'}
 
+  event-target-shim@5.0.1:
+    resolution: {integrity: sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==}
+    engines: {node: '>=6'}
+
   eventemitter3@5.0.1:
     resolution: {integrity: sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==}
 
@@ -825,10 +860,17 @@ packages:
     resolution: {integrity: sha512-dKx12eRCVIzqCxFGplyFKJMPvLEWgmNtUrpTiJIR5u97zEhRG8ySrtboPHZXx7daLxQVrl643cTzbab2tkQjxg==}
     engines: {node: '>= 0.4'}
 
+  form-data-encoder@1.7.2:
+    resolution: {integrity: sha512-qfqtYan3rxrnCk1VYaA4H+Ms9xdpPqvLZa6xmMgFvhO32x7/3J/ExcTd6qpxM0vH2GdMI+poehyBZvqfMTto8A==}
+
   form-data@4.0.4:
     resolution: {integrity: sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==}
     engines: {node: '>= 6'}
 
+  formdata-node@4.4.1:
+    resolution: {integrity: sha512-0iirZp3uVDjVGt9p49aTaqjk84TrglENEDuqfdlZQ1roC9CWlPk6Avf8EEnZNcAqPonwkG35x4n3ww/1THYAeQ==}
+    engines: {node: '>= 12.20'}
+
   fs-constants@1.0.0:
     resolution: {integrity: sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==}
 
@@ -1238,6 +1280,10 @@ packages:
     resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
     engines: {node: '>=10'}
 
+  luxon@3.7.1:
+    resolution: {integrity: sha512-RkRWjA926cTvz5rAb1BqyWkKbbjzCGchDUIKMCUvNi17j6f6j8uHGDV82Aqcqtzd+icoYpELmG3ksgGiFNNcNg==}
+    engines: {node: '>=12'}
+
   make-fetch-happen@9.1.0:
     resolution: {integrity: sha512-+zopwDy7DNknmwPQplem5lAZX/eCOzSvSNNcSKm5eVwTkOBzoktEfXsa9L23J/GIRhxRsaxzkPEhrJEpE2F4Gg==}
     engines: {node: '>= 10'}
@@ -1339,6 +1385,11 @@ packages:
   node-addon-api@7.1.1:
     resolution: {integrity: sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==}
 
+  node-domexception@1.0.0:
+    resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
+    engines: {node: '>=10.5.0'}
+    deprecated: Use your platform's native DOMException instead
+
   node-fetch@2.7.0:
     resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}
     engines: {node: 4.x || >=6.0.0}
@@ -1424,13 +1475,13 @@ packages:
     resolution: {integrity: sha512-/bjOqmgETBYB5BoEeGVea8dmvHb2m9GLy1E9W43yeyfP6QQCZGFNa+XRceJEuDB6zqr+gKpIAmlLebMpykw/MQ==}
     engines: {node: '>=10'}
 
-  p-queue@8.1.0:
-    resolution: {integrity: sha512-mxLDbbGIBEXTJL0zEx8JIylaj3xQ7Z/7eEVjcF9fJX4DBiH9oqe+oahYnlKKxm0Ci9TlWTyhSHgygxMxjIB2jw==}
+  p-queue@8.1.1:
+    resolution: {integrity: sha512-aNZ+VfjobsWryoiPnEApGGmf5WmNsCo9xu8dfaYamG5qaLP7ClhLN6NgsFe6SwJ2UbLEBK5dv9x8Mn5+RVhMWQ==}
     engines: {node: '>=18'}
 
-  p-retry@6.2.1:
-    resolution: {integrity: sha512-hEt02O4hUct5wtwg4H4KcWgDdm+l1bOaEy/hWzd8xtXB9BqxTWBBhb+2ImAtH4Cv4rPjV76xN3Zumqk3k3AhhQ==}
-    engines: {node: '>=16.17'}
+  p-retry@7.0.0:
+    resolution: {integrity: sha512-3BgO9rjULJYyr0Y0pcsG7FZ+7JB/hfOODO8kx9ppumiO5jprUF92WK/Y7Q0xppZtq4VhTcPiVq7qWLQfIV5aKQ==}
+    engines: {node: '>=20'}
 
   p-timeout@6.1.4:
     resolution: {integrity: sha512-MyIV3ZA/PmyBN/ud8vV9XzwTrNtR4jFrObymZYnZqMmW0zA8Z17vnT0rBgFE/TlohB+YCHqXMgZzb3Csp49vqg==}
@@ -1609,10 +1660,6 @@ packages:
     resolution: {integrity: sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==}
     engines: {node: '>= 4'}
 
-  retry@0.13.1:
-    resolution: {integrity: sha512-XQBQ3I8W1Cge0Seh+6gjj03LbmRFWuoszgK9ooCpwYIrhhoO80pfq4cUkU5DkknwfOfFteRwlZ56PYOGYyFWdg==}
-    engines: {node: '>= 4'}
-
   reusify@1.1.0:
     resolution: {integrity: sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==}
     engines: {iojs: '>=1.0.0', node: '>=0.10.0'}
@@ -1877,8 +1924,8 @@ packages:
       eslint: ^8.57.0 || ^9.0.0
       typescript: '>=4.8.4 <5.9.0'
 
-  typescript@5.8.3:
-    resolution: {integrity: sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==}
+  typescript@5.9.2:
+    resolution: {integrity: sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==}
     engines: {node: '>=14.17'}
     hasBin: true
 
@@ -1886,6 +1933,9 @@ packages:
     resolution: {integrity: sha512-nWJ91DjeOkej/TA8pXQ3myruKpKEYgqvpw9lz4OPHj/NWFNluYrjbz9j01CJ8yKQd2g4jFoOkINCTW2I5LEEyw==}
     engines: {node: '>= 0.4'}
 
+  undici-types@5.26.5:
+    resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==}
+
   undici-types@6.21.0:
     resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
 
@@ -1905,6 +1955,10 @@ packages:
   util-deprecate@1.0.2:
     resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}
 
+  web-streams-polyfill@4.0.0-beta.3:
+    resolution: {integrity: sha512-QW95TCTaHmsYfHDybGMwO5IJIM93I/6vTRk+daHTWFPhwh+C8Cg7j7XyKrwrj8Ib6vYXe0ocYNrmzY4xAAN6ug==}
+    engines: {node: '>= 14'}
+
   webidl-conversions@3.0.1:
     resolution: {integrity: sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==}
 
@@ -1961,8 +2015,8 @@ packages:
   yallist@4.0.0:
     resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==}
 
-  yaml@2.8.0:
-    resolution: {integrity: sha512-4lLa/EcQCB0cJkyts+FpIRx5G/llPxfP6VQU5KByHEhLxY3IJCH0f0Hy1MHI8sClTvsIb8qwRJ6R/ZdlDJ/leQ==}
+  yaml@2.8.1:
+    resolution: {integrity: sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==}
     engines: {node: '>= 14.6'}
     hasBin: true
 
@@ -1974,8 +2028,8 @@ packages:
     resolution: {integrity: sha512-GQHQqAopRhwU8Kt1DDM8NjibDXHC8eoh1erhGAJPEyveY9qqVeXvVikNKrDz69sHowPMorbPUrH/mx8c50eiBQ==}
     engines: {node: '>=18'}
 
-  zod@4.0.14:
-    resolution: {integrity: sha512-nGFJTnJN6cM2v9kXL+SOBq3AtjQby3Mv5ySGFof5UGRHrRioSJ5iG680cYNjE/yWk671nROcpPj4hAS8nyLhSw==}
+  zod@4.1.11:
+    resolution: {integrity: sha512-WPsqwxITS2tzx1bzhIKsEs19ABD5vmCVa4xBo2tq/SrV4RNZtfws1EnCWQXM6yh8bD08a1idvkB5MZSBiZsjwg==}
 
 snapshots:
 
@@ -1985,9 +2039,14 @@ snapshots:
       '@types/json-schema': 7.0.15
       js-yaml: 4.1.0
 
-  '@eslint-community/eslint-utils@4.7.0(eslint@9.32.0)':
+  '@eslint-community/eslint-utils@4.7.0(eslint@9.36.0)':
     dependencies:
-      eslint: 9.32.0
+      eslint: 9.36.0
+      eslint-visitor-keys: 3.4.3
+
+  '@eslint-community/eslint-utils@4.9.0(eslint@9.36.0)':
+    dependencies:
+      eslint: 9.36.0
       eslint-visitor-keys: 3.4.3
 
   '@eslint-community/regexpp@4.12.1': {}
@@ -2000,9 +2059,9 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@eslint/config-helpers@0.3.0': {}
+  '@eslint/config-helpers@0.3.1': {}
 
-  '@eslint/core@0.15.1':
+  '@eslint/core@0.15.2':
     dependencies:
       '@types/json-schema': 7.0.15
 
@@ -2020,13 +2079,13 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@eslint/js@9.32.0': {}
+  '@eslint/js@9.36.0': {}
 
   '@eslint/object-schema@2.1.6': {}
 
-  '@eslint/plugin-kit@0.3.4':
+  '@eslint/plugin-kit@0.3.5':
     dependencies:
-      '@eslint/core': 0.15.1
+      '@eslint/core': 0.15.2
       levn: 0.4.1
 
   '@gar/promisify@1.1.3':
@@ -2057,7 +2116,7 @@ snapshots:
     dependencies:
       jsep: 1.4.0
 
-  '@kubernetes/client-node@1.3.0(encoding@0.1.13)':
+  '@kubernetes/client-node@1.3.0(patch_hash=0b0e5d32aa2930107c8c9b45df2639faf53fa12a389a551885d6e42d71f9429d)(encoding@0.1.13)':
     dependencies:
       '@types/js-yaml': 4.0.9
       '@types/node': 22.16.5
@@ -2129,56 +2188,60 @@ snapshots:
 
   '@types/lodash@4.17.20': {}
 
+  '@types/luxon@3.7.1': {}
+
   '@types/node-fetch@2.6.12':
     dependencies:
       '@types/node': 22.16.5
       form-data: 4.0.4
 
+  '@types/node@18.19.123':
+    dependencies:
+      undici-types: 5.26.5
+
   '@types/node@22.16.5':
     dependencies:
       undici-types: 6.21.0
 
-  '@types/retry@0.12.2': {}
-
   '@types/stream-buffers@3.0.7':
     dependencies:
       '@types/node': 22.16.5
 
-  '@typescript-eslint/eslint-plugin@8.38.0(@typescript-eslint/parser@8.38.0(eslint@9.32.0)(typescript@5.8.3))(eslint@9.32.0)(typescript@5.8.3)':
+  '@typescript-eslint/eslint-plugin@8.38.0(@typescript-eslint/parser@8.38.0(eslint@9.36.0)(typescript@5.9.2))(eslint@9.36.0)(typescript@5.9.2)':
     dependencies:
       '@eslint-community/regexpp': 4.12.1
-      '@typescript-eslint/parser': 8.38.0(eslint@9.32.0)(typescript@5.8.3)
+      '@typescript-eslint/parser': 8.38.0(eslint@9.36.0)(typescript@5.9.2)
       '@typescript-eslint/scope-manager': 8.38.0
-      '@typescript-eslint/type-utils': 8.38.0(eslint@9.32.0)(typescript@5.8.3)
-      '@typescript-eslint/utils': 8.38.0(eslint@9.32.0)(typescript@5.8.3)
+      '@typescript-eslint/type-utils': 8.38.0(eslint@9.36.0)(typescript@5.9.2)
+      '@typescript-eslint/utils': 8.38.0(eslint@9.36.0)(typescript@5.9.2)
       '@typescript-eslint/visitor-keys': 8.38.0
-      eslint: 9.32.0
+      eslint: 9.36.0
       graphemer: 1.4.0
       ignore: 7.0.5
       natural-compare: 1.4.0
-      ts-api-utils: 2.1.0(typescript@5.8.3)
-      typescript: 5.8.3
+      ts-api-utils: 2.1.0(typescript@5.9.2)
+      typescript: 5.9.2
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/parser@8.38.0(eslint@9.32.0)(typescript@5.8.3)':
+  '@typescript-eslint/parser@8.38.0(eslint@9.36.0)(typescript@5.9.2)':
     dependencies:
       '@typescript-eslint/scope-manager': 8.38.0
       '@typescript-eslint/types': 8.38.0
-      '@typescript-eslint/typescript-estree': 8.38.0(typescript@5.8.3)
+      '@typescript-eslint/typescript-estree': 8.38.0(typescript@5.9.2)
       '@typescript-eslint/visitor-keys': 8.38.0
       debug: 4.4.1
-      eslint: 9.32.0
-      typescript: 5.8.3
+      eslint: 9.36.0
+      typescript: 5.9.2
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/project-service@8.38.0(typescript@5.8.3)':
+  '@typescript-eslint/project-service@8.38.0(typescript@5.9.2)':
     dependencies:
-      '@typescript-eslint/tsconfig-utils': 8.38.0(typescript@5.8.3)
+      '@typescript-eslint/tsconfig-utils': 8.38.0(typescript@5.9.2)
       '@typescript-eslint/types': 8.38.0
       debug: 4.4.1
-      typescript: 5.8.3
+      typescript: 5.9.2
     transitivePeerDependencies:
       - supports-color
 
@@ -2187,28 +2250,28 @@ snapshots:
       '@typescript-eslint/types': 8.38.0
       '@typescript-eslint/visitor-keys': 8.38.0
 
-  '@typescript-eslint/tsconfig-utils@8.38.0(typescript@5.8.3)':
+  '@typescript-eslint/tsconfig-utils@8.38.0(typescript@5.9.2)':
     dependencies:
-      typescript: 5.8.3
+      typescript: 5.9.2
 
-  '@typescript-eslint/type-utils@8.38.0(eslint@9.32.0)(typescript@5.8.3)':
+  '@typescript-eslint/type-utils@8.38.0(eslint@9.36.0)(typescript@5.9.2)':
     dependencies:
       '@typescript-eslint/types': 8.38.0
-      '@typescript-eslint/typescript-estree': 8.38.0(typescript@5.8.3)
-      '@typescript-eslint/utils': 8.38.0(eslint@9.32.0)(typescript@5.8.3)
+      '@typescript-eslint/typescript-estree': 8.38.0(typescript@5.9.2)
+      '@typescript-eslint/utils': 8.38.0(eslint@9.36.0)(typescript@5.9.2)
       debug: 4.4.1
-      eslint: 9.32.0
-      ts-api-utils: 2.1.0(typescript@5.8.3)
-      typescript: 5.8.3
+      eslint: 9.36.0
+      ts-api-utils: 2.1.0(typescript@5.9.2)
+      typescript: 5.9.2
     transitivePeerDependencies:
       - supports-color
 
   '@typescript-eslint/types@8.38.0': {}
 
-  '@typescript-eslint/typescript-estree@8.38.0(typescript@5.8.3)':
+  '@typescript-eslint/typescript-estree@8.38.0(typescript@5.9.2)':
     dependencies:
-      '@typescript-eslint/project-service': 8.38.0(typescript@5.8.3)
-      '@typescript-eslint/tsconfig-utils': 8.38.0(typescript@5.8.3)
+      '@typescript-eslint/project-service': 8.38.0(typescript@5.9.2)
+      '@typescript-eslint/tsconfig-utils': 8.38.0(typescript@5.9.2)
       '@typescript-eslint/types': 8.38.0
       '@typescript-eslint/visitor-keys': 8.38.0
       debug: 4.4.1
@@ -2216,19 +2279,19 @@ snapshots:
       is-glob: 4.0.3
       minimatch: 9.0.5
       semver: 7.7.2
-      ts-api-utils: 2.1.0(typescript@5.8.3)
-      typescript: 5.8.3
+      ts-api-utils: 2.1.0(typescript@5.9.2)
+      typescript: 5.9.2
     transitivePeerDependencies:
       - supports-color
 
-  '@typescript-eslint/utils@8.38.0(eslint@9.32.0)(typescript@5.8.3)':
+  '@typescript-eslint/utils@8.38.0(eslint@9.36.0)(typescript@5.9.2)':
     dependencies:
-      '@eslint-community/eslint-utils': 4.7.0(eslint@9.32.0)
+      '@eslint-community/eslint-utils': 4.7.0(eslint@9.36.0)
       '@typescript-eslint/scope-manager': 8.38.0
       '@typescript-eslint/types': 8.38.0
-      '@typescript-eslint/typescript-estree': 8.38.0(typescript@5.8.3)
-      eslint: 9.32.0
-      typescript: 5.8.3
+      '@typescript-eslint/typescript-estree': 8.38.0(typescript@5.9.2)
+      eslint: 9.36.0
+      typescript: 5.9.2
     transitivePeerDependencies:
       - supports-color
 
@@ -2240,6 +2303,10 @@ snapshots:
   abbrev@1.1.1:
     optional: true
 
+  abort-controller@3.0.0:
+    dependencies:
+      event-target-shim: 5.0.1
+
   acorn-jsx@5.3.2(acorn@8.15.0):
     dependencies:
       acorn: 8.15.0
@@ -2258,7 +2325,6 @@ snapshots:
   agentkeepalive@4.6.0:
     dependencies:
       humanize-ms: 1.2.1
-    optional: true
 
   aggregate-error@3.1.0:
     dependencies:
@@ -2463,6 +2529,18 @@ snapshots:
   clean-stack@2.2.0:
     optional: true
 
+  cloudflare@5.1.0(encoding@0.1.13):
+    dependencies:
+      '@types/node': 18.19.123
+      '@types/node-fetch': 2.6.12
+      abort-controller: 3.0.0
+      agentkeepalive: 4.6.0
+      form-data-encoder: 1.7.2
+      formdata-node: 4.4.1
+      node-fetch: 2.7.0(encoding@0.1.13)
+    transitivePeerDependencies:
+      - encoding
+
   color-convert@2.0.1:
     dependencies:
       color-name: 1.1.4
@@ -2485,6 +2563,11 @@ snapshots:
   console-control-strings@1.1.0:
     optional: true
 
+  cron@4.3.3:
+    dependencies:
+      '@types/luxon': 3.7.1
+      luxon: 3.7.1
+
   cross-spawn@7.0.6:
     dependencies:
       path-key: 3.1.1
@@ -2575,7 +2658,7 @@ snapshots:
     dependencies:
       esutils: 2.0.3
 
-  dotenv@17.2.1: {}
+  dotenv@17.2.2: {}
 
   dunder-proto@1.0.1:
     dependencies:
@@ -2699,9 +2782,9 @@ snapshots:
 
   escape-string-regexp@4.0.0: {}
 
-  eslint-config-prettier@10.1.8(eslint@9.32.0):
+  eslint-config-prettier@10.1.8(eslint@9.36.0):
     dependencies:
-      eslint: 9.32.0
+      eslint: 9.36.0
 
   eslint-import-resolver-node@0.3.9:
     dependencies:
@@ -2711,17 +2794,17 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  eslint-module-utils@2.12.1(@typescript-eslint/parser@8.38.0(eslint@9.32.0)(typescript@5.8.3))(eslint-import-resolver-node@0.3.9)(eslint@9.32.0):
+  eslint-module-utils@2.12.1(@typescript-eslint/parser@8.38.0(eslint@9.36.0)(typescript@5.9.2))(eslint-import-resolver-node@0.3.9)(eslint@9.36.0):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
-      '@typescript-eslint/parser': 8.38.0(eslint@9.32.0)(typescript@5.8.3)
-      eslint: 9.32.0
+      '@typescript-eslint/parser': 8.38.0(eslint@9.36.0)(typescript@5.9.2)
+      eslint: 9.36.0
       eslint-import-resolver-node: 0.3.9
     transitivePeerDependencies:
       - supports-color
 
-  eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.38.0(eslint@9.32.0)(typescript@5.8.3))(eslint@9.32.0):
+  eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.38.0(eslint@9.36.0)(typescript@5.9.2))(eslint@9.36.0):
     dependencies:
       '@rtsao/scc': 1.1.0
       array-includes: 3.1.9
@@ -2730,9 +2813,9 @@ snapshots:
       array.prototype.flatmap: 1.3.3
       debug: 3.2.7
       doctrine: 2.1.0
-      eslint: 9.32.0
+      eslint: 9.36.0
       eslint-import-resolver-node: 0.3.9
-      eslint-module-utils: 2.12.1(@typescript-eslint/parser@8.38.0(eslint@9.32.0)(typescript@5.8.3))(eslint-import-resolver-node@0.3.9)(eslint@9.32.0)
+      eslint-module-utils: 2.12.1(@typescript-eslint/parser@8.38.0(eslint@9.36.0)(typescript@5.9.2))(eslint-import-resolver-node@0.3.9)(eslint@9.36.0)
       hasown: 2.0.2
       is-core-module: 2.16.1
       is-glob: 4.0.3
@@ -2744,20 +2827,20 @@ snapshots:
       string.prototype.trimend: 1.0.9
       tsconfig-paths: 3.15.0
     optionalDependencies:
-      '@typescript-eslint/parser': 8.38.0(eslint@9.32.0)(typescript@5.8.3)
+      '@typescript-eslint/parser': 8.38.0(eslint@9.36.0)(typescript@5.9.2)
     transitivePeerDependencies:
       - eslint-import-resolver-typescript
       - eslint-import-resolver-webpack
       - supports-color
 
-  eslint-plugin-prettier@5.5.3(eslint-config-prettier@10.1.8(eslint@9.32.0))(eslint@9.32.0)(prettier@3.6.2):
+  eslint-plugin-prettier@5.5.4(eslint-config-prettier@10.1.8(eslint@9.36.0))(eslint@9.36.0)(prettier@3.6.2):
     dependencies:
-      eslint: 9.32.0
+      eslint: 9.36.0
       prettier: 3.6.2
       prettier-linter-helpers: 1.0.0
       synckit: 0.11.11
     optionalDependencies:
-      eslint-config-prettier: 10.1.8(eslint@9.32.0)
+      eslint-config-prettier: 10.1.8(eslint@9.36.0)
 
   eslint-scope@8.4.0:
     dependencies:
@@ -2768,16 +2851,16 @@ snapshots:
 
   eslint-visitor-keys@4.2.1: {}
 
-  eslint@9.32.0:
+  eslint@9.36.0:
     dependencies:
-      '@eslint-community/eslint-utils': 4.7.0(eslint@9.32.0)
+      '@eslint-community/eslint-utils': 4.9.0(eslint@9.36.0)
       '@eslint-community/regexpp': 4.12.1
       '@eslint/config-array': 0.21.0
-      '@eslint/config-helpers': 0.3.0
-      '@eslint/core': 0.15.1
+      '@eslint/config-helpers': 0.3.1
+      '@eslint/core': 0.15.2
       '@eslint/eslintrc': 3.3.1
-      '@eslint/js': 9.32.0
-      '@eslint/plugin-kit': 0.3.4
+      '@eslint/js': 9.36.0
+      '@eslint/plugin-kit': 0.3.5
       '@humanfs/node': 0.16.6
       '@humanwhocodes/module-importer': 1.0.1
       '@humanwhocodes/retry': 0.4.3
@@ -2828,6 +2911,8 @@ snapshots:
 
   esutils@2.0.3: {}
 
+  event-target-shim@5.0.1: {}
+
   eventemitter3@5.0.1: {}
 
   execa@9.6.0:
@@ -2903,6 +2988,8 @@ snapshots:
     dependencies:
       is-callable: 1.2.7
 
+  form-data-encoder@1.7.2: {}
+
   form-data@4.0.4:
     dependencies:
       asynckit: 0.4.0
@@ -2911,6 +2998,11 @@ snapshots:
       hasown: 2.0.2
       mime-types: 2.1.35
 
+  formdata-node@4.4.1:
+    dependencies:
+      node-domexception: 1.0.0
+      web-streams-polyfill: 4.0.0-beta.3
+
   fs-constants@1.0.0: {}
 
   fs-minipass@2.1.0:
@@ -3064,7 +3156,6 @@ snapshots:
   humanize-ms@1.2.1:
     dependencies:
       ms: 2.1.3
-    optional: true
 
   iconv-lite@0.6.3:
     dependencies:
@@ -3329,6 +3420,8 @@ snapshots:
       yallist: 4.0.0
     optional: true
 
+  luxon@3.7.1: {}
+
   make-fetch-happen@9.1.0:
     dependencies:
       agentkeepalive: 4.6.0
@@ -3440,6 +3533,8 @@ snapshots:
 
   node-addon-api@7.1.1: {}
 
+  node-domexception@1.0.0: {}
+
   node-fetch@2.7.0(encoding@0.1.13):
     dependencies:
       whatwg-url: 5.0.0
@@ -3558,16 +3653,14 @@ snapshots:
       aggregate-error: 3.1.0
     optional: true
 
-  p-queue@8.1.0:
+  p-queue@8.1.1:
     dependencies:
       eventemitter3: 5.0.1
       p-timeout: 6.1.4
 
-  p-retry@6.2.1:
+  p-retry@7.0.0:
     dependencies:
-      '@types/retry': 0.12.2
       is-network-error: 1.1.0
-      retry: 0.13.1
 
   p-timeout@6.1.4: {}
 
@@ -3736,8 +3829,6 @@ snapshots:
   retry@0.12.0:
     optional: true
 
-  retry@0.13.1: {}
-
   reusify@1.1.0: {}
 
   rfc4648@1.5.4: {}
@@ -4026,9 +4117,9 @@ snapshots:
 
   tr46@0.0.3: {}
 
-  ts-api-utils@2.1.0(typescript@5.8.3):
+  ts-api-utils@2.1.0(typescript@5.9.2):
     dependencies:
-      typescript: 5.8.3
+      typescript: 5.9.2
 
   tsconfig-paths@3.15.0:
     dependencies:
@@ -4078,18 +4169,18 @@ snapshots:
       possible-typed-array-names: 1.1.0
       reflect.getprototypeof: 1.0.10
 
-  typescript-eslint@8.38.0(eslint@9.32.0)(typescript@5.8.3):
+  typescript-eslint@8.38.0(eslint@9.36.0)(typescript@5.9.2):
     dependencies:
-      '@typescript-eslint/eslint-plugin': 8.38.0(@typescript-eslint/parser@8.38.0(eslint@9.32.0)(typescript@5.8.3))(eslint@9.32.0)(typescript@5.8.3)
-      '@typescript-eslint/parser': 8.38.0(eslint@9.32.0)(typescript@5.8.3)
-      '@typescript-eslint/typescript-estree': 8.38.0(typescript@5.8.3)
-      '@typescript-eslint/utils': 8.38.0(eslint@9.32.0)(typescript@5.8.3)
-      eslint: 9.32.0
-      typescript: 5.8.3
+      '@typescript-eslint/eslint-plugin': 8.38.0(@typescript-eslint/parser@8.38.0(eslint@9.36.0)(typescript@5.9.2))(eslint@9.36.0)(typescript@5.9.2)
+      '@typescript-eslint/parser': 8.38.0(eslint@9.36.0)(typescript@5.9.2)
+      '@typescript-eslint/typescript-estree': 8.38.0(typescript@5.9.2)
+      '@typescript-eslint/utils': 8.38.0(eslint@9.36.0)(typescript@5.9.2)
+      eslint: 9.36.0
+      typescript: 5.9.2
     transitivePeerDependencies:
       - supports-color
 
-  typescript@5.8.3: {}
+  typescript@5.9.2: {}
 
   unbox-primitive@1.1.0:
     dependencies:
@@ -4098,6 +4189,8 @@ snapshots:
       has-symbols: 1.1.0
       which-boxed-primitive: 1.1.1
 
+  undici-types@5.26.5: {}
+
   undici-types@6.21.0: {}
 
   unicorn-magic@0.3.0: {}
@@ -4118,6 +4211,8 @@ snapshots:
 
   util-deprecate@1.0.2: {}
 
+  web-streams-polyfill@4.0.0-beta.3: {}
+
   webidl-conversions@3.0.1: {}
 
   whatwg-url@5.0.0:
@@ -4185,10 +4280,10 @@ snapshots:
 
   yallist@4.0.0: {}
 
-  yaml@2.8.0: {}
+  yaml@2.8.1: {}
 
   yocto-queue@0.1.0: {}
 
   yoctocolors@2.1.1: {}
 
-  zod@4.0.14: {}
+  zod@4.1.11: {}